RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant

RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant

insikt-group-logo-updated-3-300x48.png
Note de la rédaction : Il s'agit d'un extrait d'un rapport complet. Pour lire l'analyse complète avec les notes de fin, click here to download the report as a PDF.

This report details recent activity conducted by the likely Chinese state-sponsored threat activity group RedDelta. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. This report will be of most interest to individuals and organizations with strategic and operational intelligence requirements relating to Chinese cyber threat activity, as well as network defenders in government organizations within Southeast Asia and Europe.

Executive Summary

Recorded Future’s Insikt Group continues to track activity we attribute to the likely Chinese state-sponsored threat activity group RedDelta targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor. Since at least 2019, RedDelta has been consistently active within Southeast Asia, particularly in Myanmar and Vietnam, but has also routinely adapted its targeting in response to global geopolitical events. This is historically evident through the group’s targeting of the Vatican and other Catholic organizations in the lead-up to 2021 talks between Chinese Communist Party (CCP) and Vatican officials [1,2], as well as throughout 2022 through the group’s shift towards increased targeting of European government and diplomatic entities following Russia's invasion of Ukraine.

During the 3-month period from September through November 2022, RedDelta has regularly used an infection chain employing malicious shortcut (LNK) files, which trigger a dynamic-link library (DLL) search-order-hijacking execution chain to load consistently updated PlugX versions. Throughout this period, the group repeatedly employed decoy documents specific to government and migration policy within Europe. Of note, we identified a European government department focused on trade communicating with RedDelta command-and-control (C2) infrastructure in early August 2022. This activity commenced on the same day that a RedDelta PlugX sample using this C2 infrastructure and featuring an EU trade-themed decoy document surfaced on public malware repositories. We also identified additional probable victim entities within Myanmar and Vietnam regularly communicating with RedDelta C2 infrastructure.

RedDelta closely overlaps with public industry reporting under the aliases BRONZE PRESIDENT, Mustang Panda, TA416, Red Lich, and HoneyMyte.

Key Judgments

reddelta-targets-european-government-organizations-continues-iterate-custom-plugx-variant-01.png

Figure 1: High-level RedDelta TTPs and Recorded Future data-sourcing graphic; historically reported TTPs are shown in gray [1,2] (Source: Recorded Future)_