CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

RedNovember Targets Global Governments and Private Sector with Pantegana and Cobalt Strike

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

RedNovember, a Chinese state-sponsored threat actor, has been actively targeting global government and private sector organizations since June 2024. The group has used the Go-based backdoor Pantegana, Cobalt Strike, and LeslieLoader in its intrusions, focusing on high-profile targets across Africa, Asia, North America, South America, and Oceania. The targets include defense and aerospace organizations, space organizations, law firms, and various government entities. The actor leverages VPN services and exploits known vulnerabilities in perimeter appliances to gain initial access. The group's activities highlight a trend of targeting security solutions to maintain long-term persistence within compromised networks. RedNovember's operations are closely aligned with Chinese state interests, targeting sectors and regions of strategic importance.

Timeline

  1. 24.09.2025 19:36 2 articles · 23h ago

    RedNovember targets global governments and private sector with Pantegana and Cobalt Strike

    Between June 2024 and July 2025, RedNovember targeted perimeter appliances of high-profile organizations globally. The group used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions. The actor has expanded its targeting to include defense and aerospace organizations, space organizations, and law firms. The group's activities have been observed in multiple countries, including a ministry of foreign affairs in central Asia, a state security organization in Africa, a European government directorate, and a Southeast Asian government. RedNovember exploits vulnerabilities in perimeter appliances from vendors like Check Point, Cisco, Citrix, F5, Fortinet, Ivanti, Palo Alto Networks, and SonicWall. The actor uses the Go-based LeslieLoader to deploy programs like SparkRAT, Pantegana, and Cobalt Strike. The group uses commercial VPNs like ExpressVPN to connect to its own infrastructure. RedNovember's targets include manufacturers in Europe, American oil and gas companies, and government entities throughout Southeast Asia. The actor's activities are closely aligned with Chinese state interests, targeting defense and aerospace organizations in the West and foreign affairs ministries in Asia. RedNovember spied on Panamanian organizations in finance, transportation, international relations, land and economic development, and emergency services following a state visit from the U.S. Defense Secretary. The group performed cyber reconnaissance on a location in Taiwan that is home to semiconductor research and development and a Taiwanese military airbase during a geopolitical event.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Subtle Snail APT Targets Global Telcos and Satellite Operators

Subtle Snail (UNC1549) has conducted a series of cyberattacks against 11 global telecommunications, satellite, and aerospace companies in recent weeks. The attacks, which occurred over a short period, targeted key personnel in these industries using highly customized phishing lures and malware. The primary goals appear to be data theft for research and development and call data records (CDRs) for espionage. The group has been active since at least June 2022, focusing on aerospace, defense, and telecommunications sectors. Their tactics include extensive background research on targets and the use of custom malware, particularly the MiniBike backdoor, which employs modular components to evade detection. The attacks have been observed across the Middle East, Europe, and North America, with victims including major companies serving millions of customers. The group is believed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC). Subtle Snail has expanded its operations to target critical infrastructure organizations in Western Europe, specifically in Denmark, Portugal, and Sweden. The group uses new malware variants, MiniJunk and MiniBrowse, to conduct its attacks. MiniJunk is a highly obfuscated backdoor that provides persistent access to infected systems, while MiniBrowse is a lightweight stealer designed to steal credentials from Chrome and Edge browsers.

Open in new tab

Espionage campaign targets Eastern Asia using hijacked Sogou Zhuyin update server

An espionage campaign, codenamed TAOTH, has been targeting users in Eastern Asia since June 2025. The attackers hijacked an abandoned update server for the Sogou Zhuyin input method editor (IME) software to distribute multiple malware families, including C6DOOR and GTELAM. The campaign primarily targets dissidents, journalists, researchers, and technology/business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities. The attackers took control of the lapsed domain name associated with Sogou Zhuyin in October 2024 and used it to disseminate malicious payloads. The malware families deployed serve various purposes, including remote access, information theft, and backdoor functionality. The attack chain begins with users downloading the official installer for Sogou Zhuyin, which triggers a malicious update process. The campaign has impacted several hundred victims, with Taiwan accounting for 49% of all targets. The attackers also leveraged third-party cloud services to conceal their network activities.

Open in new tab

ShadowSilk targets government entities in Central Asia and APAC using Telegram bots

ShadowSilk, a threat activity cluster, has targeted nearly three dozen government entities in Central Asia and the Asia-Pacific (APAC) region. The attacks, primarily aimed at data exfiltration, leverage spear-phishing emails and Telegram bots for command-and-control (C2) traffic to evade detection. The group employs a diverse toolkit, including public exploits and custom malware, to maintain persistence and move laterally within networks. The victims span Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan, and Turkmenistan, with a focus on government organizations and, to a lesser extent, entities in the energy, manufacturing, retail, and transportation sectors. ShadowSilk's operations are run by a bilingual crew, with Russian-speaking developers and Chinese-speaking operators, indicating a multi-regional threat profile.

Open in new tab

Chinese State-Sponsored Actors Targeting Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841. The latest BrickStorm campaign was linked by Google researchers to UNC5221, but also to other related Chinese threat actors. The campaign has been monitored by Mandiant since March 2025, with the attackers targeting industries such as legal services, software-as-a-service (SaaS), technology, and business process outsourcing (BPO). On average, the cyberspies spent 393 days in the targeted networks. The attackers have deployed the BrickStorm malware on various types of appliances, many of which do not support traditional EDR and other security solutions. The threat actor deployed BRICKSTORM to a network appliance prior to pivoting to VMware systems. The latest BrickStorm campaign has been aimed at high-value targets and its goal has not been limited to traditional cyberespionage. The Chinese hackers leveraged the access they obtained to pivot to the downstream customers of compromised SaaS providers. The threat actors are stealing proprietary source code and other intellectual property related to enterprise technologies that many other companies use. The threat actors are analyzing the stolen source code to find flaws and zero-day vulnerabilities to exploit in enterprise technology products.

Open in new tab

Static Tundra Exploits Cisco IOS Flaw for Cyber Espionage

The Russian state-sponsored cyber espionage group Static Tundra, also known as Berserk Bear, Blue Kraken, Castle, Crouching Yeti, Dragonfly, Ghost Blizzard, and Koala Team, has been actively exploiting a seven-year-old vulnerability in Cisco IOS and Cisco IOS XE software to gain persistent access to target networks. The attacks target organizations in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. The vulnerability, CVE-2018-0171, allows unauthenticated, remote attackers to execute arbitrary code or trigger a denial-of-service condition. The group, linked to the FSB's Center 16 unit, focuses on long-term intelligence gathering operations. The FBI and Cisco Talos have issued advisories warning about the ongoing exploitation of CVE-2018-0171 by Static Tundra. The FBI has observed FSB cyber actors exploiting SNMP and end-of-life networking devices running the unpatched vulnerability to target entities in the United States and globally. The attackers collect configuration files for thousands of networking devices and modify them to facilitate unauthorized access. They use custom tools like SYNful Knock to maintain persistence within victim networks. Static Tundra uses publicly-available scan data to identify systems of interest and sets up GRE tunnels to redirect traffic to attacker-controlled infrastructure. The group's activities are primarily focused on unpatched, end-of-life network devices to establish access on primary targets and facilitate secondary operations. The ongoing campaign highlights the importance of maintaining a current inventory of network infrastructure and prioritizing patching for end-of-life devices. The FBI has also warned about the group targeting US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The U.S. Department of State is offering up to $10 million for information on three FSB officers involved in cyberattacks targeting U.S. critical infrastructure.

Open in new tab