Campaign
RedNovember targets exposed edge devices
Updated 24.09.2025 19:36
Case score 57
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 57
- Main story score
- 57
- Related evidence lift
- +0 / 20
- Contributing updates
- 0
- Context updates
- 0
Top contributors
- Campaign Primary campaign event with the full case value and no additional supporting activity. main
Case score 57
Members 1
Latest activity 24.09.2025 19:36
Members 1
First seen 24.09.2025 04:00
Last seen 24.09.2025 04:00
Updated 24.09.2025 19:36
Overview
**RedNovember**, also tracked as **Storm-2077**, is a suspected Chinese espionage operation focused on internet-facing perimeter appliances. Recorded Future says the group moved quickly after public vulnerability disclosures and used exploit-driven access together with tools such as **LESLIELOADER**, **Pantegana**, and **Cobalt Strike**.
The available evidence ties the activity to **CVE-2024-24919** on Check Point gateways and **CVE-2024-3400** on Palo Alto Networks **PAN-OS GlobalProtect**, with victim reporting across multiple regions and sensitive sectors. Patch and hardening guidance for exposed edge devices narrows the window for abuse, but the full scale of compromise remains unknown.
RedNovember, also tracked as Storm-2077, is a suspected Chinese state-sponsored espionage operation that targets internet-facing perimeter appliances and moves quickly after public vulnerability disclosures. Recorded Future says the activity ran from June 2024 through July 2025 and used exploit-driven access against exposed devices to reach governments and private-sector organizations. The campaign has been tied to earlier abuse of CVE-2024-24919 on Check Point systems and CVE-2024-3400 on Palo Alto Networks PAN-OS GlobalProtect, along with tooling such as LESLIELOADER, Pantegana, and Cobalt Strike.
Reported and likely victims span Africa, Asia, North America, South America, and Oceania, with interest in defense and aerospace, space, and law organizations. The activity also includes reconnaissance in Taiwan tied to semiconductor research and a military airbase, showing interest in strategically sensitive infrastructure. Check Point released a fix for CVE-2024-24919, and the available evidence suggests defenders need to treat newly disclosed edge-device flaws as immediate attack enablers, but the full extent of compromise remains unquantified.
Signals
9 derivedCVEs/products
CVE
CVE
Victims/regions
Sector
government
Victim region
Taiwan
Status
Campaign status
Active
Threat context
Actor
RedNovember
Actor
Storm-2077
Malware
Tooling
Malware context
4 families · 1 toolsTools
Cobalt Strike
Member happenings
1 related
Campaign
RedNovember (Storm-2077) public-PoC espionage campaign
Objective
Espionage
Campaign
Active
Campaign
RedNovember (Storm-2077) public-PoC espionage campaign
Objective
Espionage
Campaign
Active