RedNovember (formerly TAG-100) is a Chinese state‑sponsored threat activity group that has conducted widespread reconnaissance and likely compromises of internet‑facing edge devices and services worldwide using open‑source tools such as the Go-based backdoor Pantegana, LESLIELOADER to load SparkRAT and Cobalt Strike, and targeted appliances like SonicWall, Fortinet, Palo Alto GlobalProtect, Ivanti Connect Secure, and Check Point VPNs. The group expanded targeting across government, intergovernmental, defense, aerospace, law firms, media, and technology sectors between June 2024 and July 2025 and has leveraged published proof‑of‑concept exploits and spearphishing lures to lower the bar for large‑scale intrusions. #Pantegana #LESLIELOADER
Keypoints
- RedNovember (previously TAG-100 / overlapping Storm-2077) is assessed as a Chinese state‑sponsored group using open‑source backdoors and C2 frameworks (Pantegana, Cobalt Strike, SparkRAT) to conduct espionage.
- The group focuses on exploiting internet‑facing perimeter appliances (VPNs, firewalls, load balancers, OWA, routers) and surged activity following PoC exploit publications (e.g., Check Point CVE-2024-24919, Palo Alto CVE-2024-3400, Follina CVE-2022-30190).
- Between June 2024 and July 2025, RedNovember targeted a broad international victim set including governments, intergovernmental organizations, US defense contractors, European aerospace/manufacturing firms, law firms, media, and technology firms—particularly in the US, Taiwan, South Korea, Southeast Asia, and Panama.
- Observed tradecraft includes spearphishing with lures and malicious documents, LESLIELOADER chains loading SparkRAT or Cobalt Strike Beacon in memory, and use of public hosting/file sharing and scanning tools (pan[.]xj[.]hk, Filemail, Acunetix, Burp Suite, HackerTarget, crt[.]sh, Wayback Machine).
- Specific intrusion activity included large-scale ICS VPN (Ivanti Connect Secure) reconnaissance in April 2025, targeted scans of Panamanian government orgs in April 2025, and repeated opportunistic exploitation attempts against Check Point and other VPN gateways after PoC releases.
- Insikt Group observed RedNovember administrative habits such as likely using VPN services (ExpressVPN, possibly Warp) for infrastructure administration and occasional C2 hosting on Chinese infrastructure (ALIBABA-CN-NET AS37963).
- Mitigations recommended include blocking known C2 infrastructure, prioritizing patching of high‑risk RCEs in external appliances, enhancing logging/monitoring on perimeter devices, and employing defense‑in‑depth to detect post‑exploitation activity.
MITRE Techniques
- [T1608 ] Acquire Infrastructure – RedNovember acquired and operated virtual private servers and VPN services to host C2 and infrastructure (Recorded Future notes: “Acquire Infrastructure: Virtual Private Server”).
- [T1592 ] Gather Victim Network Information – Reconnaissance of edge and network security appliances such as VPNs, firewalls, load balancers, and OWA portals (“Gather Victim Network Information: Network Security Appliances”).
- [T1190 ] Exploit Public-Facing Application – The group exploited vulnerabilities in internet-facing appliances (e.g., Check Point CVE-2024-24919, Palo Alto CVE-2024-3400, Ivanti Connect Secure, Follina targeting Exchange/Office) (“Exploit Public-Facing Application”).
- [T1566 ] Spearphishing Attachment – Use of spearphishing with malicious attachments and lure documents (PDF and Word lures directing downloads from threat-controlled domains) (“Spearphishing Attachment”).
- [T1204 ] User Execution: Malicious Link – Malicious documents directed users to remote pages or downloads (e.g., Word doc linking to hxxps://login[.]offiec[.]us[.]kg/ms-help.html) (“User Execution: Malicious Link”).
- [T1204 ] User Execution: Malicious File – Malicious attachments and executables (LESLIELOADER masquerading as a VMware security patch delivered via spearphishing) executed by users (“User Execution: Malicious File”).
- [T1071 ] Application Layer Protocol – Use of web protocols for C2 (Pantegana and Cobalt Strike using HTTP/HTTPS to communicate with C2) (“Application Layer Protocol: Web Protocols”).
- [T1571 ] Non-Standard Port – Use of non-standard ports and atypical configurations for C2 (example: Cobalt Strike service run on TCP port 80 and other atypical hosting choices) (“Non-Standard Port”).
Indicators of Compromise
- [Domain ] RedNovember malicious hosting and lure infrastructure – aeifile[.]offiec[.]us[.]kg, login[.]offiec[.]us[.]kg
- [IP Address ] Pantegana C2 servers and reconnaissance hosts – 209[.]141[.]46[.]57, 198[.]98[.]50[.]218
- [IP Address ] Cobalt Strike C2 – 47[.]103[.]218[.]35 (also seen serving hxxp://47[.]103[.]218[.]35/pixel and /GSjY)
- [File Hash ] LESLIELOADER loader samples – 06e87a03507213322d876b459194021f876ba90f85c5faa401820954045cd1d2, 8679a25c78e104c6e74996b75882e378f420614fe1379ee9c1e266a11ffa096d
- [File Hash ] Malicious document and exploit payloads – Word doc 9a1077f57bac5610d44ac46a8958dd5469522a3db466f164f4dfeada73847b79, ms-help.html payload dba860617762bc713771de351026eb683546b37489fa0359064948f263438030
- [Archive Hash ] ZIP used to stage malware and lure – 675874ac8fbe66e76244759ae398a4d30da84ef2435a1384c4be549ca9eba18b