Chinese Cyberspies Hacked US Defense Contractors

Chinese Cyberspies Hacked US Defense Contractors

Briefly

"A Chinese cyberespionage group has compromised at least two US defense contractors and various other organizations in the Americas, Europe, Asia, and Africa, cybersecurity firm Recorded Future reports. Between July 2024 and July 2025, the threat actor, tracked as RedNovember, was seen targeting high-profile organizations globally, across government, defense, aerospace, and other industries. For initial access, the cyberspies compromised edge devices from Cisco, F5, Fortinet, Ivanti, Palo Alto Networks, SonicWall, and Sophos, as well as Outlook Web Access (OWA) instances."

"As part of the attacks, RedNovember deployed a Go-based backdoor dubbed Pantegana, offensive security tools such as Cobalt Strike and SparkRAT, and open source tools for initial access, reconnaissance, and follow-up activities. The threat actor, Recorded Future notes, is known for using Pantegana as its command-and-control (C&C) framework, along with Cobalt Srike, and continues to rely on ExpressVPN for server management, while also likely adopting Warp VPN for remote access to its infrastructure."

"The cybersecurity firm observed the cyberespionage group targeting the OWA portals of a South American country prior to a state visit in China, and those of ministries of foreign affairs in Southeast Asia and South America. Over the past year, the group has targeted government and diplomatic organizations in multiple countries, across Africa, Asia, Europe, and South America, and is believed to have maintained long-time access to an intergovernmental organization based in Southeast Asia."