Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia have been targeted by the China-nexus RedDelta threat actor to deliver a customized version of the PlugX backdoor between July 2023 and December 2024.
“The group used lure documents themed around the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia, and meeting invitations, including an Association of Southeast Asian Nations (ASEAN) meeting,” Recorded Future’s Insikt Group said in a new analysis.
It’s believed that the threat actor compromised the Mongolian Ministry of Defense in August 2024 and the Communist Party of Vietnam in November 2024. It’s also said to have targeted various victims in Malaysia, Japan, the United States, Ethiopia, Brazil, Australia, and India from September to December 2024.
RedDelta, active since at least 2012, is the moniker assigned to a state-sponsored threat actor from China. It’s also tracked by the cybersecurity community under the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, Mustang Panda (and its closely related Vertigo Panda), Red Lich, Stately Taurus, TA416, and Twill Typhoon.
The hacking crew is known for continually refining its infection chain, with recent attacks weaponizing Visual Studio Code tunnels as part of espionage operations targeting government entities in Southeast Asia, a tactic that’s increasingly being adopted by various China-linked espionage clusters such as Operation Digital Eye and MirrorFace.
The intrusion set documented by Recorded Future entails the use of Windows Shortcut (LNK), Windows Installer (MSI), and Microsoft Management Console (MSC) files, likely distributed via spear-phishing, as the first-stage component to trigger the infection chain, ultimately leading to the deployment of PlugX using DLL side-loading techniques.
Select campaigns orchestrated late last year have also relied on phishing emails containing a link to HTML files hosted on Microsoft Azure as a starting point to trigger the download of the MSC payload, which, in turn, drops an MSI installer responsible for loading PlugX using a legitimate executable that’s vulnerable to DLL search order hijacking.
In a further sign of an evolution of its tactics and stay ahead of security defenses, RedDelta has been observed using the Cloudflare content delivery network (CDN) to proxy command-and-control (C2) traffic to the attacker-operated C2 servers. This is done so in an attempt to blend in with legitimate CDN traffic and complicate detection efforts.
Recorded Future said it identified 10 administrative servers communicating with two known RedDelta C2 servers. All the 10 IP addresses are registered to China Unicom Henan Province.
“RedDelta’s activities align with Chinese strategic priorities, focusing on governments and diplomatic organizations in Southeast Asia, Mongolia, and Europe,” the company said.
“The group’s Asia-focused targeting in 2023 and 2024 represents a return to the group’s historical focus after targeting European organizations in 2022. RedDelta’s targeting of Mongolia and Taiwan is consistent with the group’s past targeting of groups seen as threats to the Chinese Communist Party’s power.”
The development comes amid a report from Bloomberg that the recent cyber attack targeting the U.S. Treasury Department was perpetrated by a fellow hacking group known as Silk Typhoon (aka Hafnium), which was previously attributed to the zero-day exploitation of four security flaws in Microsoft Exchange Server (aka ProxyLogon) in early 2021.
