Campaign

RedNovember targets exposed edge devices

Updated 24.09.2025 19:36

Case score 57

Case score 57 Members 1 Latest activity 24.09.2025 19:36

Members 1 First seen 24.09.2025 04:00 Last seen 24.09.2025 04:00 Updated 24.09.2025 19:36

Overview

**RedNovember**, also tracked as **Storm-2077**, is a suspected Chinese espionage operation focused on internet-facing perimeter appliances. Recorded Future says the group moved quickly after public vulnerability disclosures and used exploit-driven access together with tools such as **LESLIELOADER**, **Pantegana**, and **Cobalt Strike**. The available evidence ties the activity to **CVE-2024-24919** on Check Point gateways and **CVE-2024-3400** on Palo Alto Networks **PAN-OS GlobalProtect**, with victim reporting across multiple regions and sensitive sectors. Patch and hardening guidance for exposed edge devices narrows the window for abuse, but the full scale of compromise remains unknown.

Key facts

**RedNovember** / **Storm-2077** is an espionage campaign that targets internet-facing perimeter appliances and reacts quickly to public vulnerability disclosures.
The activity is tied to **CVE-2024-24919** on Check Point systems and **CVE-2024-3400** on **Palo Alto Networks PAN-OS GlobalProtect**.
Intrusions used **LESLIELOADER**, **Pantegana**, and **Cobalt Strike** after initial access.
Reported and likely victims span **Africa**, **Asia**, **North America**, **South America**, and **Oceania**, with interest in **government**, **defense and aerospace**, **space**, and **law** organizations.
Reconnaissance in Taiwan included a site tied to semiconductor research and a Taiwanese military airbase.
Check Point released a fix for **CVE-2024-24919**, and vendor guidance calls for mitigation or stronger protection on exposed perimeter devices.

Malware context

4 families · 1 tools

Tools

Cobalt Strike

Signals

8 derived

CVEs/products

CVE CVE

Victims/regions

Sector government Victim region Taiwan

Threat context

Actor RedNovember Actor Storm-2077 Malware Tooling

Member happenings

1 related

Campaign RedNovember (Storm-2077) public-PoC espionage campaign

Updated 24.09.2025 04:00 Lead Contribution 57

Campaign Active Objective Espionage

**RedNovember** is a suspected **Chinese state-sponsored** campaign also tracked as **Storm-2077** that targeted **perimeter appliances** of high-profile organizations globally between **June 2024 and July 2025**. Recorded Future says the group used the **Go-based backdoor Pantegana** and **Cobalt Strike** during intrusions, and earlier abuse included **CVE-2024-24919** and **CVE-2024-3400** on exposed security products. The activity expanded across **government** and **private sector** targets, including **defense and aerospace**, **space organizations**, and **law firms**. The campaign matters because it shows a persistent espionage operation that uses public exposure on internet-facing devices to gain access across multiple regions and sectors.

View happening