Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

RedNovember (Storm-2077) public-PoC espionage campaign

Campaign
First reported
Last updated
Happening score
H score 57
2 unique sources, 2 articles

Summary

Hide ▲

RedNovember is a suspected Chinese state-sponsored campaign also tracked as Storm-2077 that targeted perimeter appliances of high-profile organizations globally between June 2024 and July 2025. Recorded Future says the group used the Go-based backdoor Pantegana and Cobalt Strike during intrusions, and earlier abuse included CVE-2024-24919 and CVE-2024-3400 on exposed security products. The activity expanded across government and private sector targets, including defense and aerospace, space organizations, and law firms. The campaign matters because it shows a persistent espionage operation that uses public exposure on internet-facing devices to gain access across multiple regions and sectors.

Cases

RedNovember targets exposed edge devices (1)

Related Happenings

Webworm multi-country targeting campaign against government and enterprise victims

Campaign
First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...

Open Happening

Webworm expanded European government and South Africa university espionage campaign

Campaign
First: 20.05.2026 14:30 Last: 20.05.2026 14:30 Sources 1

About this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...

Open Happening

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

Open Happening

UAT-8302 government-targeting campaign across South America and southeastern Europe

Campaign
First: 05.05.2026 17:19 Last: 05.05.2026 17:19 Sources 1

About this happening: The **UAT-8302** campaign has been tied to attacks on **government entities** in **South America** and **southeastern Europe**, showing a multi-region operation with post-exploita...

Open Happening

Silk Typhoon / Hafnium coordinated intelligence-gathering campaign

Campaign
First: 27.04.2026 22:56 Last: 27.04.2026 22:56 Sources 1

About this happening: The **Silk Typhoon / Hafnium** operation is tied to a **coordinated intelligence-gathering campaign** spanning **February 2020 to June 2021**, underscoring a sustained espionage e...

Latest development: 28.04.2026 15:30

US officials described Silk Typhoon/Hafnium activity from February 2020 to June 2021 as a coordinated intelligence-gathering campaign that targeted US universities and COVID-19 researchers, including a Texas university network, and later expanded into Microsoft Exchange Server vulnerability exploitation. The operation reportedly used stolen mailbox access to search for vaccines, treatments, and testing research, and the FBI said the campaign affected more than 12,700 US organizations.

Open Happening

Timeline

  1. 24.09.2025 04:00 1 articles · 8mo ago

    Check Point releases CVE-2024-24919 fix

    Mitigation Patch Update

    Check Point security gateways were patched on May 28, 2024 after CVE-2024-24919, a high-severity arbitrary file read flaw, was acknowledged by the vendor. The fix followed exploitation of the issue as a zero-day in April and May 2024 and narrowed the immediate window for exposed gateways.

    Show sources
    Open in new tab
  2. 24.09.2025 04:00 1 articles · 8mo ago

    RedNovember recon on Taiwanese strategic infrastructure

    Campaign Scope Update

    On Dec. 9, 2024, RedNovember performed cyber reconnaissance on a location in Taiwan tied to semiconductor research and development and a Taiwanese military airbase. The activity continued for a week after that date, underscoring interest in strategically sensitive infrastructure.

    Show sources
    Open in new tab
  3. 24.09.2025 04:00 3 articles · 8mo ago

    Recorded Future describes RedNovember's PoC-driven espionage

    Initial Disclosure

    Recorded Future described RedNovember, also tracked as Storm-2077, as a Chinese APT that watches vulnerability disclosures and moves quickly when public PoCs appear. The group was tied to probes against Check Point security gateways and Palo Alto GlobalProtect, used tools such as LeslieLoader, SparkRAT, Pantegana, and Cobalt Strike, and was associated with espionage against governments and sensitive-sector organizations across multiple regions.

    Show sources
    Open in new tab