Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

RedNovember-Storm-2077-TAG-100 alliance reshapes ransomware ecosystem operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 48
1 unique sources, 1 articles

Summary

Hide ▲

Recorded Future has reclassified TAG-100 as RedNovember, clarifying a Chinese state-sponsored espionage actor also tracked by Microsoft as Storm-2077. The identity update matters because it consolidates multiple labels for the same cluster and highlights a broader threat footprint across government and private sector targets worldwide. The actor's remit has expanded into defense, aerospace, space, and law firms, signaling wider intelligence requirements and a larger operational reach.

Related Happenings

CISA adds ScreenConnect and Windows flaws to KEV

Public Sector Action
First: 29.04.2026 11:46 Last: 29.04.2026 11:46 Sources 1

About this happening: CISA added **CVE-2024-1708** and **CVE-2026-32202** to the **KEV catalog**, elevating the flaws to a **federal remediation priority** because they are being **actively exploited**...

Open Happening

TA416 European government espionage campaign

Campaign
First: 01.04.2026 15:05 Last: 01.04.2026 15:05 Sources 1

About this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...

Latest development: 03.04.2026 20:34

TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.

Open Happening

Microsoft launches agent guardrails, identities, and Security Copilot updates for agentic AI

Security Tool/Service
First: 24.03.2026 14:28 Last: 24.03.2026 14:28 Sources 1

About this happening: **Microsoft** rolled out new **agentic AI security controls** at **RSAC Conference**, adding preview **guardrails in Microsoft Foundry**, **agent identities in Entra ID**, and upd...

Open Happening

OFAC sanctions DPRK IT worker scheme network

Regulatory/Legal Action
First: 18.03.2026 19:26 Last: 18.03.2026 19:26 Sources 1

About this happening: **OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....

Open Happening

Russian-speaking threat actor campaign expands across multiple victims

Campaign
First: 09.03.2026 01:35 Last: 09.03.2026 01:35 Sources 1

About this happening: A **Russian-speaking threat actor** ran an **AI-augmented campaign** against **FortiGate security appliances**, using **multiple commercial AI services** to scale compromise attem...

Open Happening

Timeline

  1. 24.09.2025 19:36 2 articles · 8mo ago

    Recorded Future maps TAG-100 to RedNovember and Storm-2077

    Attribution Update

    Recorded Future reclassifies TAG-100 as RedNovember and links it to Microsoft’s Storm-2077 tracking, describing a suspected Chinese state-sponsored cluster that targeted perimeter appliances of high-profile organizations worldwide between June 2024 and July 2025. The activity is associated with Pantegana, Cobalt Strike, Spark RAT, and a LESLIELOADER variant, and the targeting remit expanded across government and private sector organizations, including defense and aerospace organizations, space organizations, and law firms across Africa, Asia, North America, South America, and Oceania.

    Show sources
    Open in new tab