Summary:
Between July 2023 and December 2024, Insikt Group observed the Chinese state-sponsored group RedDelta targeting Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia with an adapted infection chain to distribute its customized PlugX backdoor. The group used lure documents themed around the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia, and meeting invitations, including an Association of Southeast Asian Nations (ASEAN) meeting. RedDelta likely compromised the Mongolian Ministry of Defense in August 2024 and the Communist Party of Vietnam in November 2024. The group conducted spearphishing targeting the Vietnamese Ministry of Public Security, but Insikt Group observed no evidence of successful compromise. From September to December 2024, RedDelta likely targeted victims in Malaysia, Japan, the United States, Ethiopia, Brazil, Australia, and India.
In late 2023, RedDelta evolved the first stage of its infection chain to leverage a Windows Shortcut (LNK) file likely delivered via spearphishing. In 2024, the group transitioned to using Microsoft Management Console Snap-In Control (MSC) files. Most recently, RedDelta used spearphishing links to prompt a victim to load an HTML file remotely hosted on Microsoft Azure. Since July 2023, RedDelta has consistently used the Cloudflare content distribution network (CDN) to proxy command-and-control (C2) traffic, which enables the group to blend in with legitimate CDN traffic and complicates victim identification. Other state-sponsored groups, including Russias BlueAlpha, have similarly leveraged Cloudflare to evade detection.
RedDeltas activities align with Chinese strategic priorities, focusing on governments and diplomatic organizations in Southeast Asia, Mongolia, and Europe. The groups Asia-focused targeting in 2023 and 2024 represents a return to the groups historical focus after targeting European organizations in 2022. RedDeltas targeting of Mongolia and Taiwan is consistent with the groups past targeting of groups seen as threats to the Chinese Communist Partys power.
About RedDelta:
RedDelta has been active since at least 2012 and has focused on targeting Southeast Asia and Mongolia. The group has routinely adapted its targeting in response to global geopolitical events. RedDelta targeted the Vatican and other Catholic organizations with PlugX before 2021 talks between China and the Vatican. The has group compromised law enforcement and government entities in India, a government organization in Indonesia, and other targets across Myanmar, Hong Kong, and Australia.
In 2022, RedDelta shifted toward increased targeting of European government and diplomatic entities following Russia’s invasion of Ukraine. This activity used an infection chain that began by delivering an archive file (ZIP, RAR, or ISO), which was likely delivered via spearphishing. The file contained a Windows Shortcut (LNK) file disguised with a double extension (such as .doc.lnk) and a Microsoft Word icon. Hidden folders within the archive contained three files used to complete dynamic-link library (DLL) search order hijacking: a legitimate binary, a malicious DLL loader, and an encrypted PlugX payload that was ultimately loaded into memory. User execution of the Shortcut file led to DLL search order hijacking. In November 2022, RedDelta evolved its tactics to stage the ISO file on a threat actor-controlled domain.
In March 2023, Insikt Group identified RedDelta targeting Mongolia using a similar infection chain that started with a container file (RAR, ZIP, ISO) consisting of an LNK file that triggered a DLL search order hijacking triad located within a hidden nested subdirectory. Decoy documents included an invitation from the World Association of Mongolia and a document claiming to be a BBC news interview about Tibetan Buddhism and Mongolia. RedDelta targeted:
- Members of multiple Mongolian non-governmental organizations (NGOs), including a human rights and pro-democracy NGO focused on the Inner Mongolia Autonomous Region
- Mongolian Buddhist activists in Mongolia and Japan
- Academic professionals in Mongolia and Japan
- Developers of two Mongolian mobile applications
Mitigations:
To detect and mitigate RedDelta activity, organizations should:
- Use YARA and Sigma rules provided by Insikt Group to detect RedDelta Windows Installer (MSI), DLL, and LNK files (see below).
- Configure intrusion detection systems (IDS), intrusion prevention systems (IPS), and other network defense mechanisms to alert on or block connection attempts from external IP addresses and domains associated with RedDelta (see below).
- Keep software and applications particularly operating systems, antivirus software, and core system utilities up to date.
- Filter email correspondence and scrutinize attachments for malware.
- Conduct regular system backups and store them offline and offsite to ensure they are inaccessible via the network.
- Adhere to strict compartmentalization of company-sensitive data, institute role-based access, and limit company-wide data access.
- Deploy client-based host logging and intrusion detection capabilities to identify and thwart attacks early.
- Prevent threat actors from bypassing security by disabling outdated authentication methods.
- Implement tools like network IDS, NetFlow collection, host logging, and web proxy, alongside manual monitoring of detection sources.
- Practice network segmentation and ensure special protections exist for sensitive information, such as multifactor authentication, and restricted accesss.
Leverage the Recorded Future Third-Party Intelligence module and Threat Intelligence Browser Extension for real-time monitoring and prioritized vulnerability patching.
Review public guidance (1, 2, 3, 4) and Insikt Groups Charting Chinas Climb as a Leading Global Cyber Power report for comprehensive recommendations for mitigating Chinese advanced persistent threat activity more broadly.
Outlook:
Insikt Group anticipates that RedDelta will continue targeting organizations worldwide with its customized PlugX backdoor, focusing on Southeast Asia and Chinas periphery, including Mongolia and Taiwan. Likely targets include governments, NGOs, activists, and religious organizations. RedDelta has continually evolved its infection chain and is anticipated to continue doing so in the future in response to major geopolitical developments.
To read the entire analysis, click here to download the report as a PDF.
Appendix A Indicators of Compromise
| Domains: abecopiers[.]com alicevivianny[.]com aljazddra[.]com alphadawgrecords[.]com alvinclayman[.]com antioxidantsnews[.]com armzrace[.]com artbykathrynmorin[.]com atasensors[.]com bkller[.]com bonuscuk[.]com bramjtop[.]com buyinginfo[.]org calgarycarfinancing[.]com comparetextbook[.]com conflictaslesson[.]com councilofwizards[.]com crappienews[.]com createcopilot[.]com cuanhuaanbinh[.]com dmfarmnews[.]com electrictulsa[.]com elevateecom[.]com epsross[.]com erpdown[.]com estmongolia[.]com financialextremed[.]com finasterideanswers[.]com flaworkcomp[.]com flfprlkgpppg[.]shop getfiledown[.]com getupdates[.]net glassdoog[.]org globaleyenews[.]com goclamdep[.]net goodrapp[.]com gulfesolutions[.]com hajjnewsbd[.]com hisnhershealthynhappy[.]com homeimageidea[.]com howtotopics[.]com importsmall[.]com indiinfo[.]com infotechtelecom[.]com inhller[.]com instalaymantiene[.]com iplanforamerica[.]com irprofiles[.]com itduniversity[.]com ivibers[.]com jorzineonline[.]com kelownahomerenovations[.]com kentscaffolders[.]com kerrvillehomeschoolers[.]com kxmmcdmnb[.]online lebohdc[.]com linkonmarketing[.]com loginge[.]com lokjopppkuimlpo[.]shop londonisthereason[.]com looksnews[.]com maineasce[.]com meetviberapi[.]com mexicoglobaluniversity[.]com mobilefiledownload[.]com mojhaloton[.]com mongolianshipregistrar[.]com mrytlebeachinfo[.]com myynzl[.]com newslandtoday[.]net normalverkehr[.]com nymsportsmen[.]com oncalltechnical[.]com onmnews[.]com pgfabrics[.]com pinaylizzie[.]com profilepimpz[.]com quickoffice360[.]com redactnews[.]com reformporta[.]com richwoodgrill[.]com riversidebreakingnews[.]com rpcgenetics[.]com sangkayrealnews[.]com shreyaninfotech[.]com smldatacenter[.]com spencerinfo[.]net starlightstar[.]com tasensors[.]com techoilproducts[.]com thelocaltribe[.]com tigermm[.]com tigernewsmedia[.]com tophooks[.]org truckingaccidentattorneyblog[.]com truff-evadee[.]com tychonews[.]com unixhonpo[.]com usedownload[.]com vanessalove[.]com versaillesinfo[.]com vopaklatinamerica[.]com windowsfiledownload[.]com xxmodkiufnsw[.]shop 365officemail[.]com 7gzi[.]com Additional Staging Domains RedDelta Administration Servers RedDelta C2 Servers (OctoberDecember 2024) Shortcut (LNK) Files (SHA256) MSC files (SHA256) MSI files (SHA256) DLL files (SHA256) Encrypted Payloads (DAT) (SHA256) Legitimate Executables (SHA256) HTML files (SHA256) File Paths |
Appendix B Mitre ATT&CK Techniques
| Tactic: Technique | ATT&CK Code |
| Resource Development: Acquire Infrastructure Virtual Private Server | T1583.003 |
| Resource Development: Acquire Infrastructure Domains | T1583.001 |
| Initial Access: Phishing Spearphishing Attachment | T1566.001 |
| Initial Access: Phishing Spearphishing Link | T1566.002 |
| Execution: CUser Execution Malicious File | T1204.002 |
| Execution: Command and Scripting Interpreter PowerShell | T1059.001 |
| Persistence: Boot or Logon Autostart Execution Registry Run Keys / Startup Folder | T1547.001 |
| Defense Evasion: Hijack Execution Flow DLL Search Order Hijacking | T1574.001 |
| Defense Evasion: Execution Guardrails Geofencing | T1627.001 |
| Defense Evasion: Deobfuscate/Decode Files or Information | T1140 |
| Defense Evasion: System Binary Proxy Execution MMC | T1071.001 |
| Defense Evasion: System Binary Proxy Execution Msiexec | T1218.007 |
| Defense Evasion: Masquerading Match Legitimate Name or Location | T1036.005 |
| Defense Evasion: Masquerading Double File Extension | T1036.007 |
| Discovery: System Information Discovery | T1082 |
| Command-and-Control: Encrypted Channel Symmetric Cryptography | T1573.001 |
| Command-and-Control: Data Encoding: Standard Encoding | T1132.001 |
| Command-and-Control: Web Service | T1102 |
|
Sigma rule to detect RedDelta DLL hijacking attempts to load PlugX: title: Potential RedDelta APT DLL Hijacking Attempt id: a8535c40-4e04-4ff6-baea-479ea6b0adea status: stable description: Detects DLL potential hijacking of LDeviceDetectionHelper.exe in a subdirectory of AppDataLocal. Used by RedDelta APT to load PlugX. author: MGUT, Insikt Group, Recorded Future date: 2024/09/06 references:
tags: – attack.t1574.001 # Hijack Execution Flow: DLL Search Order Hijacking logsource: product: windows category: process_creation detection: image_start: Image|startswith: – ‘C:Users’ image_end: Image|endswith: – ‘AppDataLocal*LDeviceDetectionHelper.exe’ condition: image_start and image_end level: critical falsepositives: – Unlikely
YARA rule to detect RedDelta loaders written in NIM: import “pe”
rule APT_CN_RedDelta_Nim_Loader_DEC23 { meta: author = “JGrosfelt, Insikt Group, Recorded Future” date = “2023-12-21” description = “Detects RedDelta RC4 Implementation in Nim Loaders” version = “1.0” RF_THREATACTOR = “RedDelta” RF_THREATACTOR_ID = “en_T6N”
strings:
/* RedDelta Custom RC4 Implementation (from RC4) 8B 8D E0 FB FF FF mov ecx, [ebp+var_420] 89 F2 mov edx, esi 32 54 3B 08 xor dl, [ebx+edi+8] 0F BE D2 movsx edx, dl E8 E7 C5 FF FF call sub_6DB03E5C 89 85 E0 FB FF FF mov [ebp+var_420], eax 89 F8 mov eax, edi 83 C0 01 add eax, 1 89 C7 mov edi, eax 0F 81 8E FE FF FF jno loc_6DB07716 */ $s1 = { 8B 8D E0 FB FF FF 89 F2 32 54 3B 08 0F BE D2 E8 ?? ?? ?? ?? 89 85 E0 FB FF FF 89 F8 83 C0 01 89 C7 0F }
condition: (uint16 (0) == 0x5a4d) and $s1 }
rule APT_CN_RedDelta_Nim_Loader_Aug24 { meta: author = “MGUT, Insikt Group, Recorded Future” date = “2024-09-06” description = “Detects RedDelta MSI files used to load PlugX via DLL hijacking” version = “1.0” hash = “49c32f39d420b836a2850401c134fece4946f440c535d4813362948c2de3996f” hash = “c5aa22163eb302ef72c553015ae78f1efe79e0167acad10047b0b25844087205” RF_THREATACTOR = “RedDelta” RF_THREATACTOR_ID = “en_T6N”
strings: $func = “winimConverterVarObjectToPtrObject” condition: uint16be(0) == 0x4d5a and filesize < 500KB and pe.number_of_exports == 2 and pe.exports(“HidD_GetHidGuid”) and pe.exports(“NimMain”) and $func }
YARA rule to detect MSI executables used to load PlugX: rule APT_CN_RedDelta_MSI_Aug24 { meta: author = “MGUT, Insikt Group, Recorded Future” date = “2024-09-06” description = “Detects RedDelta MSI files used to load PlugX via DLL hijacking” version = “1.0” hash = “30fbf917d0a510b8dac3bacb0f4948f9d55bbfb0fa960b07f0af20ba4f18fc19” hash = “2d884fd8cfa585adec7407059064672d06a6f4bdc28cf4893c01262ef15ddb99” RF_THREATACTOR = “RedDelta” RF_THREATACTOR_ID = “en_T6N”
strings: $s1 = “TARGETDIR[%LOCALAPPDATA]” $s2 = “\LDeviceDetectionHelper.exe” $s3 = “hid.dll” condition: uint32be(0) == 0xd0cf11e0 and all of them }
YARA rule to detect LNK files used to load PlugX (applies to infection chain from 2023): rule APT_CN_RedDelta_LNK_Oct23 { meta: author = “Mkelly, Insikt Group, Recorded Future” date = “2023-10-13” description = “Detects RedDelta LNK files used to retrieve and install .msi files via Powershell” version = “1.0” hash = “a0a3eeb6973f12fe61e6e90fe5fe8e406a8e00b31b1511a0dfe9a88109d0d129” hash = “74f3101e869cedb3fc6608baa21f91290bb3db41c4260efe86f9aeb7279f18a1” RF_THREATACTOR = “RedDelta” RF_THREATACTOR_ID = “en_T6N”
strings: $s1 = “install.InstallProduct” wide $s2 = “install=New-Object” wide $s3 = “install.uilevel = 2” wide $s4 = “REMOVE=ALL” wide
condition: uint16(0) == 0x004c and filesize < 5MB and 3 of them } |