"A suspected cyber espionage activity cluster that was previously found targeting global government and private sector organizations spanning Africa, Asia, North America, South America, and Oceania has been assessed to be a Chinese state-sponsored threat actor. Recorded Future, which was tracking the activity under the moniker TAG-100, has now graduated it to a hacking group dubbed RedNovember. It's also tracked by Microsoft as Storm-2077."
"Some of the likely new victims of the threat actor include a ministry of foreign affairs in central Asia, a state security organization in Africa, a European government directorate, and a Southeast Asian government. The group is also believed to have breached two at least two United States (US) defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia."
"RedNovember was first documented by Recorded Future over a year ago, detailing its use of the Pantegana post-exploitation framework and Spark RAT following the weaponization of known security flaws in several internet-facing perimeter appliances from Check Point ( CVE-2024-24919), Cisco, Citrix, F5, Fortinet, Ivanti, Palo Alto Networks ( CVE-2024-3400), and SonicWall for initial access."
RedNovember, assessed as a Chinese state-sponsored threat actor and tracked as Storm-2077, operated between June 2024 and July 2025. The group targeted perimeter appliances of high-profile organizations worldwide and employed the Go-based backdoor Pantegana, Spark RAT, and Cobalt Strike during intrusions. Targeting expanded across government and private sectors, including defense, aerospace, space organizations, and law firms. Likely victims include ministries, state security bodies, European directorates, Southeast Asian governments, US defense contractors, a European engine manufacturer, and a Southeast Asian intergovernmental trade body. Initial access relied on weaponized vulnerabilities in appliances from multiple vendors.
#rednovember-storm-2077 #chinese-state-sponsored #pantegana--cobalt-strike #perimeter-appliance-exploits
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]