Find notable cyber news and cases, enriched with sources, timelines, and signals.
Campaign

RedNovember targets exposed edge devices

Updated 24.09.2025 19:36
Case score 57
Case score 57 Members 1 Latest activity 24.09.2025 19:36
Members 1 First seen 24.09.2025 04:00 Last seen 24.09.2025 04:00 Updated 24.09.2025 19:36

Overview

**RedNovember**, also tracked as **Storm-2077**, is a suspected Chinese espionage operation focused on internet-facing perimeter appliances. Recorded Future says the group moved quickly after public vulnerability disclosures and used exploit-driven access together with tools such as **LESLIELOADER**, **Pantegana**, and **Cobalt Strike**. The available evidence ties the activity to **CVE-2024-24919** on Check Point gateways and **CVE-2024-3400** on Palo Alto Networks **PAN-OS GlobalProtect**, with victim reporting across multiple regions and sensitive sectors. Patch and hardening guidance for exposed edge devices narrows the window for abuse, but the full scale of compromise remains unknown.

Signals

9 derived
CVEs/products
CVE CVE
Victims/regions
Sector government Victim region Taiwan
Status
Campaign status Active
Threat context
Actor RedNovember Actor Storm-2077 Malware Tooling

Malware context

4 families · 1 tools
Tools
Cobalt Strike

Member happenings

1 related
Campaign RedNovember (Storm-2077) public-PoC espionage campaign
Updated 24.09.2025 04:00 Lead Contribution 57
Objective Espionage Campaign Active

**RedNovember** is a suspected **Chinese state-sponsored** campaign also tracked as **Storm-2077** that targeted **perimeter appliances** of high-profile organizations globally between **June 2024 and July 2025**. Recorded Future says the group used the **Go-based backdoor Pantegana** and **Cobalt Strike** during intrusions, and earlier abuse included **CVE-2024-24919** and **CVE-2024-3400** on exposed security products. The activity expanded across **government** and **private sector** targets, including **defense and aerospace**, **space organizations**, and **law firms**. The campaign matters because it shows a persistent espionage operation that uses public exposure on internet-facing devices to gain access across multiple regions and sectors.