Research (Insikt)

RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale

Posted: 8th August 2023

By: Insikt Group

RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale

New Insikt Group research examines RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. RedHotel's operations span 17 countries in Asia, Europe, and North America from 2021 to 2023. Its targets encompass academia, aerospace, government, media, telecommunications, and research sectors. Particularly focused on Southeast Asia's governments and private companies in specified sectors, RedHotel's infrastructure for malware command-and-control, reconnaissance, and exploitation points to administration in Chengdu, China. Its methods align with other contractor groups linked to China's Ministry of State Security (MSS), indicating a nexus of cyber talent and operations in Chengdu.

Schematic of RedHotel’s multi-tiered C2 infrastructure network

Since at least 2019, RedHotel has exemplified a relentless scope and scale of wider PRC state-sponsored cyber-espionage activity by maintaining a high operational tempo and targeting public and private sector organizations globally. The group has dual missions of intelligence gathering and economic espionage. It targets both government entities for traditional intelligence and organizations involved in COVID-19 research and technology R&D. Notably, it compromised a US state legislature in 2022, highlighting its expanded reach. The majority of observed victim organizations were government organizations, including prime ministers’ offices, finance ministries, legislative bodies, and interior ministries, aligning with the group’s likely espionage tasking. However, on some occasions, such as the group’s targeting of the Industrial Technology Research Institute (ITRI) in Taiwan, reported in July 2021, or of COVID-19 research, the likely motivation was industrial and economic espionage. The group’s historical targeting of the online gambling industry catering to the Chinese market is also indicative of wider trends across China-based cyber-espionage actors observed by Insikt Group, and is likely in part intended to gather intelligence in support of wider crackdowns on online gambling by the Chinese government.

RedHotel Tech Stack

RedHotel employs a multi-tiered infrastructure with a distinct focus on reconnaissance and long-term network access via command-and-control servers. The group’s multi-tier infrastructure setup consists of large quantities of provisioned virtual private servers (VPS) configured to act as reverse proxies for C2 traffic associated with the multiple malware families used by the group. These reverse proxy servers are typically configured to listen on standard HTTP(s) ports such as TCP 80, 443, 8080, and 8443) and to redirect traffic to upstream actor-controlled servers. These upstream servers are then likely directly administered by the threat actor using the open-source virtual private network (VPN) software SoftEther.

The group often utilizes a mix of offensive security tools, shared capabilities, and bespoke tooling, including Cobalt Strike, Brute Ratel C4, Winnti, ShadowPad, and the FunnySwitch and Spyder backdoors. Throughout 2022 and 2023, Insikt Group tracked over 100 C2 IP addresses in use by RedHotel, with the group heavily favoring particular hosting providers including AS-CHOOPA (Vultr), G-Core Labs S.A., and Kaopu Cloud HK Limited. Threat actor preference for particular hosting providers is likely influenced by factors such as cost, reliability, ease of setup, data center locations, perceived level of cooperation with or collection from governments and private sector organizations, and the speed and willingness with which hosting providers deal with malicious use of their services.

Recorded Future's Insikt Group observes various Chinese state-sponsored cyber threats, with RedHotel standing out for its broad scope and intensity of activity. RedHotel's campaigns include innovations such as exploiting a stolen code signing certificate and commandeering Vietnamese government infrastructure. Despite public exposure, RedHotel's bold approach suggests it will persist in its activities.

Defense Strategies

Organizations can defend against RedHotel activity by prioritizing hardening and vulnerability patching of internet-facing appliances (particularly corporate VPN, mail server, and network devices), logging and monitoring of these devices, and implementing network segmentation to limit exposure and lateral movement potential to internal networks

Note: This report summary was first published on August 8, 2023 and has been updated on October 29, 2024. The original analysis and findings remain unchanged.

To read the entire analysis with endnotes, click here to download the report as a PDF.

Appendix A — Indicators of Compromise

Domains:

dga[.]asia

kb.dga[.]asia

video.dga[.]asia

sc.dga[.]asia

dgti.dga[.]asia

nhqdc[.]com

msdn.microsoft.nhqdc[.]com

icoreemail[.]com

demo.icoreemail[.]com

officesuport[.]com

kiwi.officesuport[.]com

cdn.officesuport[.]com

test.officesuport[.]com

mail.officesuport[.]com

ntpc.officesuport[.]com

main.officesuport[.]com

excel.officesuport[.]com

remote.officesuport[.]com

ismtrsn[.]club

lrm.ismtrsn[.]club

tgoomh.ismtrsn[.]club
	
news.ismtrsn[.]club

icarln.ismtrsn[.]club

liveonlin[.]com

npgsql.liveonlin[.]com

public.liveonlin[.]com

tech.liveonlin[.]com

main.liveonlin[.]com

cctv.liveonlin[.]com

alexa-api[.]com

www.alexa-api[.]com

ngndc[.]com

air.ngndc[.]com

spa.ngndc[.]com

mkn.ngndc[.]com

ekaldhfl[.]club

ts.ekaldhfl[.]club

ist.ekaldhfl[.]club

downloads.ekaldhfl[.]club

pps.ekaldhfl[.]club

plt.ekaldhfl[.]club

tlt.ekaldhfl[.]club

thy.ekaldhfl[.]club

us.ekaldhfl[.]club

asia-cdn[.]asia

report.asia-cdn[.]asia

freehighways[.]com

map.freehighways[.]com

iredemail[.]com

index.iredemail[.]com

demo.iredemail[.]com

open.iredemail[.]com

api.iredemail[.]com

full.iredemail[.]com

bbs.iredemail[.]com

0nenote[.]com

keep.0nenote[.]com

asia-cdn[.]asia

api.asia-cdn[.]asia

speedtest.asia-cdn[.]asia

cyberoams[.]com

checkip.cyberoams[.]com

ekaldhfl[.]club

pps.ekaldhfl[.]club

usa.ekaldhfl[.]club

mtlklabs[.]co

conhostsadas[.]website

itcom666[.]live

qbxlwr4nkq[.]itcom666[.]live

8kmobvy5o[.]itcom666[.]live

itcom888[.]live

bwlgrafana[.]itcom888[.]live

itsm-uat-app[.]itcom888[.]live

dkxvb0mf[.]itcom888[.]live

nvw3tdetwx[.]itcom888[.]live

0j10u9wi[.]itcom888[.]live

yt-sslvpn[.]itcom888[.]live

vappvcsa[.]itcom888[.]live

94ceaugp[.]itcom888[.]live

sibersystems[.]xyz

fyalluw0[.]sibersystems[.]xyz 

sijqlfnbes.sibersystems[.]xyz

jmz8xhxen3.sibersystems[.]xyz

2h3cvvhgtf.sibersystems[.]xyz

3tgdtyfpt9.sibersystems[.]xyz

n71qtqemam.sibersystems[.]xyz

711zm77cwq.sibersystems[.]xyz

R77wu4s847.sibersystems[.]xyz

caamanitoba[.]us

jw7uvtodx4.caamanitoba[.]us

xdryqrbe.caamanitoba[.]us

b1k10pk9.caamanitoba[.]us

6hi6m62bzp.caamanitoba[.]us	

livehost[.]live

sci.livehost[.]live

C2 IP Addresses (seen May to June 2023)

1.13.82[.]101

5.188.33[.]188

5.188.33[.]254

5.188.34[.]164

5.188.34[.]173

38.54.16[.]131

38.54.16[.]179

38.60.199[.]87

38.60.199[.]208

45.76.186[.]26

45.77.153[.]197

61.238.103[.]165

64.227.132[.]226

92.38.169[.]222

92.38.176[.]128

92.38.178[.]40

92.38.178[.]60

92.223.90[.]133

95.85.91[.]50

103.140.239[.]41

103.157.142[.]95

108.61.158[.]179

139.180.193[.]182

140.82.7[.]72

141.164.63[.]244

154.212.129[.]132

156.236.114[.]202

TLS Certificate (SHA256 Fingerprints):

f8cd64625f8964239dad1b2ce7372d7a293196455db7c6b5467f7770fd664a61

294fb8f21034475198c3320d01513cc9917629c6fd090af76ea0ff8911e0caa3

9c8e5f6e5e843767f0969770478e3ad449f8a412dad246a17ea69694233884b9

29ed44228ed4a9883194f7e910b2aac8e433ba3edd89596353995ba9b9107093

b02aed9a615b6dff2d48b1dd5d15d898d537033b2f6a5e9737d27b0e0817b30e

Cobalt Strike Loaders

5cba27d29c89caf0c8a8d28b42a8f977f86c92c803d1e2c7386d60c0d8641285

48e81b1c5cc0005cc58b99cefe1b6087c841e952bb06db5a5a6441e92e40bed6

25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51

233bb85dbeba69231533408501697695a66b7790e751925231d64bddf80bbf91

aeceaa7a806468766923a00e8c4eb48349f10d069464b53674eeb150e0a59123

Brute Ratel Loaders

6e3c3045bb9d0db4817ad0441ee3c95b8fe3e087388d1ceefb9ebbd2608aef16

6f31a4656afb8d9245b5b2f5a634ddfbdb9db3ca565d2c52aee68554ede068d1

c00991cfeafc055447d7553a14be2303e105b6a97ab35ecf820b9dbd42826f9d

Winnti

5861584bb7fa46373c1b1f83b1e066a3d82e9c10ce87539ee1633ef0f567e743

69ff2f88c1f9007b80d591e9655cc61eaa4709ccd8b3aa6ec15e3aa46b9098bd

2f1321c6cf0bc3cf955e86692bfc4ba836f5580c8b1469ce35aa250c97f0076e

f1dcf623a8f8f4b26fe54fb17c8597d6cc3f7066789daf47a5f1179bd7f7001a

Spyder

7a61708f391a667c8bb91fcfd7392a328986059563d972960f8237a69e375d50 

5d3a6f5bd0a72ee653c6bdad68275df730b836d6f9325ee57ec7d32997d5dcef

1ded9878f8680e1d91354cbb5ad8a6960efd6ddca2da157eb4c1ef0f0430fd5f 

e053ca5888fb0d5099efed76e68a1af0020aaaa34ca610e7a1ac0ae9ffe36f6e 

24d4089f74672bc00c897a74664287fe14d63a9b78a8fe2bdbbf9b870b40d85c

FunnySwitch

7056e9b69cc2fbc79ba7a492906bcc84dabc6ea95383dff3844dfde5278d9c7a

ede0c1f0d6c3d982f63abbdd5f10648948a44e5fa0d948a89244a06abaf2ecfe

9eb0124d822d6b0fab6572b2a4445546e8029ad6bd490725015d49755b5845a4

Appendix B — Mitre ATT&CK Techniques

Tactic: Technique	ATT&CK Code	Observable
Reconnaissance: Active Scanning: Vulnerability Scanning	T1595.002	RedHotel has used vulnerability scanning tools such as Acunetix to scan externally facing appliances for vulnerabilities
Resource Development: Acquire Infrastructure: Domains	T1583.001	RedHotel has purchased domains, primarily via Namecheap.
Resource Development: Acquire Infrastructure: Virtual Private Server	T1583.003	RedHotel has provisioned actor-controlled VPS, with a preference for the providers Choopa (Vultr), G-Core, and Kaopu Cloud HK Limited.
Resource Development: Compromise Infrastructure: Server	T1584.004	RedHotel has also used compromised GlassFish servers as Cobalt Strike C2s and to scan target networks.
Initial Access: Exploit Public-Facing Application	T1190	RedHotel has exploited public-facing applications for initial access, including Zimbra Collaboration Suite (CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042, and CVE-2022-30333), Microsoft Exchange (ProxyShell), and the Log4Shell vulnerability in Apache Log4J.
Initial Access: Spearphishing: Spearphishing Attachment	T1566.001	RedHotel has used archive spearphishing attachments containing shortcut (LNK) files which fetch remotely hosted scripts (HTA, VBScript). These scripts are then used to trigger DLL search order hijacking infection chains and display decoy documents to users.
Persistence: Server Software Component: Web Shell	T1505.003	RedHotel has used web shells within victim environments and to interact with compromised GlassFish servers
Persistence:: Scheduled Task/Job: Scheduled Task	T1053.005	RedHotel has used scheduled tasks for persistence for the group’s Spyder backdoor: `C:\Windows\System32\schtasks.exe /RUN /TN PrintWorkflow_10e3b`
Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	T1547.001	The ScatterBee ShadowPad loader persists via the Run registry key and also stores the encrypted ShadowPad payload in the registry.
Defense Evasion: Obfuscated Files or Information	T1027	RedHotel has used the tool ScatterBee to obfuscate ShadowPad payloads. The group has also repeatedly stored encrypted or encoded payloads within files named `bin.config`.
Defense Evasion: Deobfuscate/Decode Files or Information	T1140
Defense Evasion: Subvert Trust Controls: Code Signing	T1553.002	RedHotel has signed malicious binaries using stolen code signing certificates (such as the referenced WANIN International certificate).
Defense Evasion: Hijack Execution Flow: DLL Search Order Hijacking	T1574.001	RedHotel has abused multiple legitimate executables for DLL search order hijacking, including `vfhost.exe`, `mcods.exe`, and `BDReinit.exe`.
Defense Evasion: Masquerading: Match Legitimate Name or Location	T1036.005	RedHotel has used legitimate file names in tandem with DLL search order hijacking to load malicious DLLs.
Command and Control: Proxy: External Proxy	T1090.002	RedHotel has used VPS C2s to proxy traffic upstream to actor-controlled servers.
Command and Control: Application Layer Protocol: Web Protocols	T1071.001	RedHotel Brute Ratel and Cobalt Strike samples referenced within this report communicate over HTTPS.
Exfiltration: Exfiltration Over C2 Channel	T1041	RedHotel has exfiltrated data over malware C2 channels.