Keypoints
- RedHotel operated from at least 2019 through 2023 across 17 countries, targeting governments, academia, aerospace, media, telecoms, and research organizations.
- The group uses a multi-tiered C2 infrastructure (actor-controlled VPS, proxied C2s, and compromised servers) to support reconnaissance, long-term access, and exfiltration.
- Initial access vectors include exploiting public-facing apps (Zimbra, Exchange, Log4Shell) and archive-based spearphishing delivering LNKs that fetch HTA/VBScript payloads.
- Tools observed include ShadowPad (loader/payload storage in registry), Spyder backdoor, ScatterBee obfuscator, Cobalt Strike and Brute Ratel frameworks, plus bespoke loaders and use of stolen code-signing certs.
- Persistence and evasion techniques include scheduled tasks, Run registry keys, DLL search order hijacking (using legitimate executables), obfuscated/encrypted payloads (e.g., bin.config), and signed malicious binaries.
- Recorded IOCs include numerous malicious domains, 27 C2 IPs (May–June 2023), TLS certificate fingerprints, and multiple loader/malware file hashes linked to Cobalt Strike, Brute Ratel, Winnti, Spyder, and FunnySwitch.
MITRE Techniques
- [T1595.002] Active Scanning: Vulnerability Scanning – ‘RedHotel has used vulnerability scanning tools such as Acunetix to scan externally facing appliances for vulnerabilities’
- [T1583.001] Acquire Infrastructure: Domains – ‘RedHotel has purchased domains, primarily via Namecheap.’
- [T1583.003] Acquire Infrastructure: Virtual Private Server – ‘RedHotel has provisioned actor-controlled VPS, with a preference for the providers Choopa (Vultr), G-Core, and Kaopu Cloud HK Limited.’
- [T1584.004] Compromise Infrastructure: Server – ‘RedHotel has also used compromised GlassFish servers as Cobalt Strike C2s and to scan target networks.’
- [T1190] Exploit Public-Facing Application – ‘RedHotel has exploited public-facing applications for initial access, including Zimbra Collaboration Suite (CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042, and CVE-2022-30333), Microsoft Exchange (ProxyShell), and the Log4Shell vulnerability in Apache Log4J.’
- [T1566.001] Spearphishing Attachment – ‘RedHotel has used archive spearphishing attachments containing shortcut (LNK) files which fetch remotely hosted scripts (HTA, VBScript). These scripts are then used to trigger DLL search order hijacking infection chains and display decoy documents to users.’
- [T1505.003] Server Software Component: Web Shell – ‘RedHotel has used web shells within victim environments and to interact with compromised GlassFish servers’
- [T1053.005] Scheduled Task/Job: Scheduled Task – ‘RedHotel has used scheduled tasks for persistence for the group’s Spyder backdoor: C:WindowsSystem32schtasks.exe /RUN /TN PrintWorkflow_10e3b’
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – ‘The ScatterBee ShadowPad loader persists via the Run registry key and also stores the encrypted ShadowPad payload in the registry.’
- [T1027] Obfuscated Files or Information – ‘RedHotel has used the tool ScatterBee to obfuscate ShadowPad payloads.’
- [T1140] Deobfuscate/Decode Files or Information – ‘RedHotel has also repeatedly stored encrypted or encoded payloads within files named bin.config.’
- [T1553.002] Subvert Trust Controls: Code Signing – ‘RedHotel has signed malicious binaries using stolen code signing certificates (such as the referenced WANIN International certificate).’
- [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – ‘RedHotel has abused multiple legitimate executables for DLL search order hijacking, including vfhost.exe, mcods.exe, and BDReinit.exe.’
- [T1036.005] Masquerading: Match Legitimate Name or Location – ‘RedHotel has used legitimate file names in tandem with DLL search order hijacking to load malicious DLLs.’
- [T1090.002] Proxy: External Proxy – ‘RedHotel has used VPS C2s to proxy traffic upstream to actor-controlled servers.’
- [T1071.001] Application Layer Protocol: Web Protocols – ‘RedHotel Brute Ratel and Cobalt Strike samples referenced within this report communicate over HTTPS.’
- [T1041] Exfiltration Over C2 Channel – ‘RedHotel has exfiltrated data over malware C2 channels.’
Indicators of Compromise
- [Domains] actor infrastructure and C2 – dga[.]asia, officesuport[.]com, and many other domains used for C2, staging, and impersonation.
- [C2 IP Addresses] Cobalt Strike/other C2s (May–June 2023) – 1.13.82[.]101, 5.188.33[.]188, and 25 other C2 IPs observed.
- [TLS Certificate (SHA256)] Actor certificates used by C2 – f8cd64625f8964239dad1b2ce7372d7a293196455db7c6b5467f7770fd664a61, 294fb8f21034475198c3320d01513cc9917629c6fd090af76ea0ff8911e0caa3, and 3 more fingerprints.
- [Cobalt Strike Loader Hashes] loader binaries – 5cba27d29c89caf0c8a8d28b42a8f977f86c92c803d1e2c7386d60c0d8641285, 48e81b1c5cc0005cc58b99cefe1b6087c841e952bb06db5a5a6441e92e40bed6, and 3 more hashes.
- [Brute Ratel Loader Hashes] loaders used for C2/backdoor – 6e3c3045bb9d0db4817ad0441ee3c95b8fe3e087388d1ceefb9ebbd2608aef16, 6f31a4656afb8d9245b5b2f5a634ddfbdb9db3ca565d2c52aee68554ede068d1, and 1 more hash.
- [Winnti/Spyder/FunnySwitch Hashes] additional malware family hashes – examples include Winnti 5861584bb7fa4637…, Spyder 7a61708f391a667c…, FunnySwitch 7056e9b69cc2fbc7…, and several other hashes.
- [File names / Artifacts] persistent/encrypted payload storage and tasks – bin.config (encrypted payloads), and scheduled task PrintWorkflow_10e3b used to run Spyder.
RedHotel’s operations emphasize reconnaissance and long-term access using layered infrastructure. The group acquires domains and VPS instances (notably via Namecheap and providers like Choopa/Vultr, G-Core, Kaopu Cloud), compromises third-party servers (e.g., GlassFish) to host C2 or scanning tools, and proxies traffic from VPS C2s to upstream actor-controlled servers. They scan external appliances (Acunetix) and exploit public-facing applications—Zimbra (multiple CVEs), Microsoft Exchange (ProxyShell), and Log4Shell in Log4J—while also delivering archive-based spearphishing with LNK files that fetch HTA/VBScript to initiate infection chains.
For post-exploitation they deploy and manage multiple frameworks and bespoke tooling: Cobalt Strike and Brute Ratel for C2/command channels over HTTPS, Spyder as a backdoor, ShadowPad as a persistent payload (encrypted and stored in the registry or bin.config), and ScatterBee for obfuscation. Persistence mechanisms include scheduled tasks (e.g., schtasks to run PrintWorkflow_10e3b), Run registry keys, and web shells on compromised servers. Defense evasion techniques observed include DLL search order hijacking using legitimate executables (vfhost.exe, mcods.exe, BDReinit.exe), masquerading with legitimate filenames/locations, and signing malicious binaries with stolen certificates (e.g., WANIN International).
Operational tradecraft covers data theft and exfiltration over C2 channels, with extensive IOCs left behind: numerous malicious domains, 27 recorded C2 IP addresses (May–June 2023), multiple TLS certificate fingerprints, and dozens of loader/malware hashes for Cobalt Strike, Brute Ratel, Winnti, Spyder, and FunnySwitch. Analysts should prioritize detection of the listed exploitation patterns (Zimbra/Exchange/Log4J), LNK/HTA delivery chains, DLL-hijack behaviors, Run-key/registry-stored payloads (bin.config), scheduled tasks matching the observed naming, and HTTPS C2 traffic to the noted domains/IPs and certificate fingerprints.