A Chinese government-backed cyberespionage group, identified as RedNovember, has spent the past year compromising organizations across the globe, with a particular focus on US defense contractors. According to a new report from cybersecurity firm Recorded Future, the threat actor has been active between July 2024 and July 2025, launching attacks on a wide range of high-profile targets in government, defense, aerospace, and other critical industries. The group’s method of entry often involves exploiting vulnerable edge devices from major networking companies, including Cisco, F5, Fortinet, and Palo Alto Networks, as well as Outlook Web Access (OWA) portals.
Once inside a network, RedNovember deploys a variety of tools to carry out its operations. The group has been observed using a custom Go-based backdoor called Pantegana, which serves as a command-and-control framework. In addition to their own proprietary malware, the hackers also utilize popular offensive security tools like Cobalt Strike and SparkRAT, along with various open-source tools for reconnaissance and other activities. Recorded Future notes that the group consistently uses ExpressVPN for server management and is likely adopting Warp VPN for remote access to its infrastructure, highlighting a strategic use of commercial services to mask its activities.
The group’s targeting is both broad and highly specific. For example, the hackers were seen targeting the OWA portals of a South American country just before a state visit to China. They also targeted the ministries of foreign affairs in several countries across Southeast Asia and South America. Over the past year, the group has maintained long-term access to a key intergovernmental organization in Southeast Asia and has also targeted government and diplomatic entities in Africa and Europe. In the United States, RedNovember has focused on prominent aerospace and defense organizations, including an engineering and military contractor and an institution associated with the US Navy.
RedNovember’s attacks are not limited to government and defense sectors. The group has also gone after private organizations, including European manufacturing firms, a global law firm, and a Taiwanese IT company. In the US, two oil and gas companies have been targeted, along with a major American newspaper. The hackers also set their sights on multiple financial institutions in Fiji, media organizations, and transportation authorities. South Korean scientific research and nuclear regulation institutions were also on the list of targets, showcasing the group’s wide-ranging interests.
The main focus of RedNovember’s campaigns is to gain initial access by exploiting newly disclosed vulnerabilities in networking devices. The group is known for moving quickly to exploit these flaws, with a history of targeting vulnerabilities in Palo Alto Networks GlobalProtect firewalls, Ivanti Connect Secure instances, and Check Point VPN gateways, among others. According to Recorded Future, this pattern is likely to continue. The cybersecurity firm believes that RedNovember and other Chinese state-sponsored groups will almost certainly keep targeting and exploiting newly released vulnerabilities in edge devices as a primary method of entry.
Reference:
