A Chinese cyberespionage group has compromised at least two US defense contractors and various other organizations in the Americas, Europe, Asia, and Africa, cybersecurity firm Recorded Future reports.
Between July 2024 and July 2025, the threat actor, tracked as RedNovember, was seen targeting high-profile organizations globally, across government, defense, aerospace, and other industries.
For initial access, the cyberspies compromised edge devices from Cisco, F5, Fortinet, Ivanti, Palo Alto Networks, SonicWall, and Sophos, as well as Outlook Web Access (OWA) instances.
As part of the attacks, RedNovember deployed a Go-based backdoor dubbed Pantegana, offensive security tools such as Cobalt Strike and SparkRAT, and open source tools for initial access, reconnaissance, and follow-up activities.
The threat actor, Recorded Future notes, is known for using Pantegana as its command-and-control (C&C) framework, along with Cobalt Srike, and continues to rely on ExpressVPN for server management, while also likely adopting Warp VPN for remote access to its infrastructure.
The cybersecurity firm observed the cyberespionage group targeting the OWA portals of a South American country prior to a state visit in China, and those of ministries of foreign affairs in Southeast Asia and South America.
Over the past year, the group has targeted government and diplomatic organizations in multiple countries, across Africa, Asia, Europe, and South America, and is believed to have maintained long-time access to an intergovernmental organization based in Southeast Asia.
RedNovember was seen targeting prominent US aerospace and defense organizations and defense industrial base entities, as well as other global defense organizations, including a European space-focused research center.
In April 2025, the group targeted a US engineering and military contractor. While communication between the threat actor’s infrastructure and two internet-accessible ICS VPN endpoints within the organization was seen, Recorded Future did not find enough evidence to conclude successful compromise.
“Also in April 2025, RedNovember conducted extensive reconnaissance against an IP address space associated with a higher education institution associated with the US Navy,” the cybersecurity firm notes.
The cyberespionage group was also observed targeting private organizations, including European manufacturing firms, a global law firm, a Taiwanese IT company, two American oil and gas companies, multiple Fijian financial institutions, government entities, media organizations, and transportation authorities.
Other targets include an American newspaper, a US engineering and military contractor, and two South Korean scientific research and nuclear regulation institutions.
According to Recorded Future, RedNovember’s attack campaigns mainly focus on reconnaissance and the exploitation of newly disclosed vulnerabilities in edge devices, including Palo Alto Networks GlobalProtect firewalls, Ivanti Connect Secure instances, Check Point VPN gateways, Sophos UTM login portals, SonicWall SonicOS and SonicWall SSL-VPN instances, and F5 BIG-IP devices.
The cybersecurity firm believes that “RedNovember, along with other Chinese state-sponsored threat activity groups, will almost certainly continue to target edge devices and exploit vulnerabilities soon after their release.”
Related: Cisco Patches Zero-Day Flaw Affecting Routers and Switches
Related: FBI Warns of Spoofed IC3 Website
Related: Turla and Gamaredon Working Together in Fresh Ukrainian Intrusions
Source link
