| Category | Details |
|---|---|
| Threat Actors | RedDelta (also known by other aliases like BASIN, Mustang Panda, and others). |
| Campaign Overview | • Targeted multiple countries, including Mongolia, Taiwan, Myanmar, Vietnam, Cambodia, and others. • Delivered a customized version of PlugX backdoor between July 2023 and December 2024. • Lure documents used for social engineering. |
| Target Regions (or Victims) | Mongolia, Taiwan, Myanmar, Vietnam, Cambodia, Malaysia, Japan, United States, Ethiopia, Brazil, Australia, India. |
| Methodology | • Used spear-phishing with lure documents (e.g., Taiwanese presidential candidate, Vietnamese National Holiday). • Infection chain involved LNK, MSI, and MSC files. • Exploited DLL side-loading and DLL search order hijacking. |
| Product Targeted | • PlugX backdoor |
| Malware Reference | PlugX backdoor – customized for the campaign |
| Tools Used | • Windows Shortcut (LNK) files • Windows Installer (MSI) • Microsoft Management Console (MSC) files • Cloudflare CDN used for C2 traffic masking |
| Vulnerabilities Exploited | • DLL search order hijacking |
| TTPs | • Spear-phishing using social engineering documents. • LNK, MSI, and MSC files as first-stage infection triggers. • DLL side-loading for malware deployment. • Cloudflare CDN for proxying C2 traffic. |
| Attribution | • Likely China-nexus with a focus on strategic priorities, particularly targeting Southeast Asian governments and organizations. • Group associated with Chinese espionage activities. |
| Recommendations | • Implement strong email security to filter spear-phishing attempts. • Use advanced endpoint detection and response (EDR) solutions. • Monitor network traffic for C2 communications disguised by services like CDNs. |
| Source | The Hackers News |
Read full article: https://thehackernews.com/2025/01/reddelta-deploys-plugx-malware-to.html
The above summary has been generated by an AI language model
Stay Updated with Our Newsletter
Related posts:
CVE-2024-9264: A Critical Vulnerability in Grafana : Vulnerability Analysis and Exploitation
Investigating a SharePoint Compromise: IR Tales from the Field
Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques
Comments (1)
Osint10X Newsletter #4 - Osint10xsays:
January 12, 2025 at 11:11 pm[…] RedDelta,a Chinese cyber-espionage group, has been using PlugX malware in targeted campaigns against Mongolia and Taiwan. The campaign focuses on stealing sensitive information by leveraging malicious emails with weaponized documents. Researchers noted advanced stealth techniques and tailored payloads to evade detection. Read more […]