RedNovember Campaign: A Close Look at Cyber Threats from China
A persistent cyber-espionage campaign attributed to a Chinese state-sponsored group underscores the crucial need for organizations to prioritize the security of their edge devices and internet-facing assets. Known as RedNovember, this threat group has targeted vulnerable web-facing systems across numerous well-established IT and security vendors. According to a report by Recorded Future’s Insikt threat research group, this campaign has been active from June 2024 to July 2025.
Targeting Edge Devices and Vulnerabilities
RedNovember has employed various tactics, including the exploitation of vulnerabilities within internet-facing devices specifically aimed at organizations across government, intergovernmental, and private sectors worldwide. The group frequently utilizes the Go-based backdoor Pantegana, along with open-source backdoors such as SparkRAT and tools like Cobalt Strike. Significant targets include defense agencies, aerospace organizations, and law firms.
The scope of the attack is alarming, with victims identified as a Central Asian ministry of foreign affairs, an African state security organization, a European government directorate, and several U.S. defense contractors. Notably, the group has launched spearphishing campaigns and exploited vulnerabilities specifically targeting the Defense Industrial Base (DIB) within the U.S. and space-related entities in Europe. Some of their operations coincided with key geopolitical events, highlighting the strategic interests of China in these incidents.
Specific Devices and Exploits in Focus
Researchers have noted that RedNovember’s tactics often involve reconnoitering edge devices for initial access. The focus has largely been on vulnerabilities in various products, particularly following the disclosure of these weaknesses and the release of proof-of-concept (PoC) exploit code. Some of the specific devices being targeted include:
- SonicWall
- Cisco Adaptive Security Appliances (ASA)
- F5 BIG-IP
- Palo Alto Networks GlobalProtect
- Sophos SSL VPN
- Fortinet FortiGate
- Outlook Web Access (OWA)
- Ivanti Connect Secure (ICS) VPN
The vulnerabilities exploited by RedNovember include:
- CVE-2022-30190: A remote code execution vulnerability in Microsoft’s Windows Support Diagnostic Tool (MSDT).
- CVE-2024-3400: A command injection vulnerability affecting Palo Alto Networks PAN-OS software.
- CVE-2024-24919: An information disclosure vulnerability within Check Point Quantum Security Gateways.
Interestingly, the exploits targeting Check Point and Palo Alto were noted to occur closely after public PoC exploits were released, indicating a direct correlation between vulnerability disclosures and the group’s activities. Given the extensive list of targeted products, it is likely that there are numerous other vulnerabilities within these systems that RedNovember has exploited.
Geographical Focus: U.S., Taiwan, and Beyond
Organizations in the U.S., Taiwan, and South Korea have been primary targets for RedNovember’s operations. However, in April 2025, the group notably focused its efforts on Panamanian government entities, demonstrating a broader global operational reach. Some specific assets of interest included:
- A 3CX web client linked to a western European ministry responsible for museums.
- A Zimbra Collaboration Suite server associated with a Southeast Asian country.
- A Fortinet FortiGate appliance tied to the foreign affairs ministry of an East Asian nation.
- A Huawei router likely linked to a Southeast Asian government.
- Cisco ASA appliances utilized by an African government.
In April 2025, RedNovember escalated its targeting of Ivanti Connect Secure (ICS) VPN devices across multiple nations, including significant U.S. media organizations and specialized engineering and military contractors. Prior to that, in March 2025, the group attacked a European engine manufacturer’s SonicWall VPN device, employing login pages for the company’s F5 BIG-IP devices.
