A Chinese state-sponsored hacker group called RedNovember has conducted a global espionage campaign targeting critical infrastructure between June 2024 and July 2025, compromising defense contractors, government agencies, and major corporations while exploiting vulnerabilities faster than organizations could deploy security patches.
The attacks included breaches of at least two US defense contractors and more than 30 Panamanian government agencies as part of a systematic targeting across the US, Europe, Asia, and South America, according to cybersecurity firm Recorded Future.
The threat group deployed the Go-based Pantegana backdoor, Cobalt Strike, and SparkRAT to maintain persistent network access after exploiting flaws in enterprise appliances, researchers said in the report.
“The group has expanded its targeting remit across government and private sector organizations, including defense and aerospace organizations, space organizations, and law firms,” the report added.
Recorded Future’s Insikt Group had previously tracked the activity under the designation TAG-100 before attributing it to Chinese state-sponsored operations. Microsoft also tracks overlapping activity from this group as Storm-2077.
Systematic exploitation of enterprise network devices
RedNovember systematically targeted internet-facing appliances that form the backbone of enterprise network security, successfully compromising SonicWall VPN devices, Ivanti Connect Secure appliances, Cisco Adaptive Security Appliances, F5 BIG-IP systems, Sophos SSL VPN products, and Fortinet FortiGate firewalls, researchers found.
The hackers exploited both recently disclosed vulnerabilities and older flaws that organizations had failed to patch. RedNovember compromised two US defense contractors in April 2025 using CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti appliances – flaws for which patches had been available since January 2024, the report said.
A European engine manufacturer that produces aerospace components was breached through its SonicWall VPN device, while multiple law firms fell victim through compromised network appliances, researchers documented.
72-hour vulnerability exploitation window
RedNovember demonstrated the ability to weaponize newly disclosed vulnerabilities faster than most organizations could deploy patches, researchers found. When researchers published proof-of-concept code for Check Point VPN vulnerability CVE-2024-24919 on May 30, 2024, RedNovember was attacking vulnerable systems by June 3.
That campaign hit at least 60 organizations across Brazil, Germany, Japan, Portugal, the UK, and the United States within four days, according to the report.
Similar patterns emerged with Palo Alto Networks GlobalProtect devices, with RedNovember consistently exploiting disclosed vulnerabilities within 72 hours of public exploit code availability, the research showed.
Open-source tools masked attribution
Rather than developing custom malware, RedNovember relied heavily on publicly available tools, including the Pantegana backdoor, Cobalt Strike penetration testing framework, and SparkRAT remote access tool, all written in the Go programming language, researchers found.
The hackers used variants of the LESLIELOADER tool to deploy SparkRAT on compromised systems, with samples first detected in March 2024, according to the analysis. RedNovember also leveraged legitimate services, including vulnerability scanning tools like PortSwigger’s Burp Suite and VPN services, including ExpressVPN and Cloudflare’s Warp, to manage their infrastructure.
“RedNovember’s strategic use of open-source capabilities allows the threat group to lower operational costs and obfuscate attribution,” researchers explained in the report.
Global targeting across multiple sectors
The group heavily targeted organizations in the US, Taiwan, and South Korea, while also conducting surveillance of government agencies across Panama, and targeting entities in Europe, Africa, Central Asia, and Southeast Asia, the report said.
The hackers maintained persistent access to compromised networks for months, with some intrusions lasting from July 2024 through March 2025, according to the research. A Taiwanese IT company remained compromised throughout this period, with researchers tracking communications to Pantegana command-and-control servers.
The hacker group also targeted organizations handling sensitive business negotiations, successfully compromising an American law firm involved in debt restructuring for a Chinese company and attempting to breach a major US newspaper, the report found.
Coordinated timing with geopolitical events
Several RedNovember campaigns coincided with significant geopolitical developments, researchers observed. The systematic surveillance of more than 30 Panamanian government agencies occurred just weeks after US Defense Secretary Pete Hegseth announced an expanded partnership to counter Chinese influence in the canal zone.
The targeting of Taiwan facilities, which house both military installations and semiconductor research operations, coincided with Chinese military exercises involving 90 warships around the island in December 2024, the report noted.
“The timing of the observed reconnaissance closely followed geopolitical and military events of key strategic interest to China,” the researchers wrote.
The systematic targeting of internet-facing appliances across multiple vendor platforms indicated that organizations need enhanced monitoring and rapid patch deployment capabilities for network infrastructure devices, the report suggested. RedNovember “will almost certainly continue to target edge devices and exploit vulnerabilities soon after their release,” researchers added in the report.
No Responses