HQ/EMEAFind out how we can help your business
The Chinese-backed RedDelta hacking group uses a customised version of the PlugX malware to target multiple Asian countries. Some confirmed nations targeted by the campaign include Taiwan, Myanmar, Vietnam, Mongolia, and Cambodia.
The threat actor allegedly compromised the Mongolian Ministry of Defense in August last year and the Communist Party of Vietnam in November 2024. However, other researchers claimed that these attackers have targeted several victims globally, such as the United States, Ethiopia, Brazil, Australia, and India, between September and December 2024.
RedDelta is notorious for upscaling its malicious capabilities.
The notorious RedDelta hacking group is known for constantly improving its infection tactics. One recent campaign of this threat group is weaponising Visual Studio Code tunnels as part of espionage operations targeting government entities in the SEA region.
Various researchers claimed that the group delivered the intrusion set via spear-phishing, making it the first-stage component to initiate the infection chain. This activity eventually resulted in the deployment of PlugX via DLL sideloading techniques.
Select campaigns orchestrated late last year also used phishing emails containing a link to HTML files hosted on Microsoft Azure to initiate the download of the MSC payload. This activity, in turn, dropped an MSI installer responsible for loading PlugX with a legitimate executable vulnerable to DLL search order hijacking.
Furthermore, this Chinese hacking group has been discovered leveraging the Cloudflare content delivery network (CDN) to proxy C2 traffic to the attacker-controlled command-and-control servers, indicating that its TTPs are evolving.
Researchers claimed that the group employed this tactic to avoid security defences. The actors may have also executed this activity to mix in with real CDN traffic, complicating detection efforts.
Separate investigations also uncovered ten administrative servers talking with two known RedDelta C2 sites. All ten IP addresses are registered with China Unicom Henan Province.
The development comes after the reports that the latest cyberattack targeted the United States. The Treasury Department was targeted by a hacking gang known as Silk Typhoon, which was previously linked to the zero-day exploitation of four security weaknesses in Microsoft Exchange Server in 2021.
