Threat Research

RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats

RecordedFuture
RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats

Insikt Group has reported that the Chinese state-sponsored group RedDelta has been actively targeting various Southeast Asian countries, including Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia, from July 2023 to December 2024. The group utilized spearphishing tactics with customized documents to distribute its PlugX backdoor. Notable targets included government entities and NGOs, with a focus on geopolitical interests in the region. Affected: Mongolia, Taiwan, Myanmar, Vietnam, Cambodia, Malaysia, Japan, United States, Ethiopia, Brazil, Australia, India

Keypoints :

  • RedDelta has been targeting Southeast Asia and Mongolia since at least 2012.
  • The group adapted its tactics, utilizing lure documents related to geopolitical events.
  • RedDelta compromised the Mongolian Ministry of Defense and the Communist Party of Vietnam.
  • From September to December 2024, the group expanded its targeting to multiple countries including Malaysia and the United States.
  • RedDelta evolved its infection chain to use Windows Shortcut (LNK) and Microsoft Management Console Snap-In Control (MSC) files.
  • The group consistently used Cloudflare CDN to proxy command-and-control traffic.
  • Mitigation strategies include using YARA and Sigma rules, updating software, and filtering email attachments.

MITRE Techniques :

  • Resource Development: Acquire Infrastructure — Virtual Private Server (T1583.003)
  • Resource Development: Acquire Infrastructure — Domains (T1583.001)
  • Initial Access: Phishing — Spearphishing Attachment (T1566.001)
  • Initial Access: Phishing — Spearphishing Link (T1566.002)
  • Execution: User Execution — Malicious File (T1204.002)
  • Execution: Command and Scripting Interpreter — PowerShell (T1059.001)
  • Persistence: Boot or Logon Autostart Execution — Registry Run Keys / Startup Folder (T1547.001)
  • Defense Evasion: Hijack Execution Flow — DLL Search Order Hijacking (T1574.001)
  • Defense Evasion: Execution Guardrails — Geofencing (T1627.001)
  • Defense Evasion: System Binary Proxy Execution — MMC (T1071.001)
  • Command-and-Control: Web Service (T1102)

Indicator of Compromise :

  • [domain] abecopiers[.]com
  • [domain] alicevivianny[.]com
  • [domain] aljazddra[.]com
  • [domain] alphadawgrecords[.]com
  • [domain] alvinclayman[.]com
  • Check the article for all found IoCs.

Full Research: https://www.recordedfuture.com/research/reddelta-chinese-state-sponsored-group-targets-mongolia-taiwan-southeast-asia

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint