Rising Threat from the RedNovember Hacking Group
Overview of RedNovember
Recent assessments indicate that a hacking group known as RedNovember, previously tracked under the name TAG-100 by Recorded Future, is linked to Chinese state-sponsored cyber espionage efforts. This group has been involved in cyber activities aimed at various government and private organizations across continents including Africa, Asia, North America, South America, and Oceania.
Targeted Organizations and Techniques
Between June 2024 and July 2025, RedNovember reportedly infiltrated critical perimeter appliances of numerous high-profile entities. The hacker group employed sophisticated tools such as the Go-based backdoor Pantegana and Cobalt Strike to execute their plans. Recorded Future’s report highlighted the expansion of RedNovember’s targeting to include not only defense and aerospace sectors but also law firms and governmental bodies.
Among its identified targets are a Central Asian foreign affairs ministry, a security agency in Africa, and various European and Southeast Asian governmental organizations. The group is also suspected to have compromised several U.S. defense contractors, a major European engine manufacturer, and an intergovernmental trade organization in Southeast Asia.
Exploiting Security Flaws
RedNovember’s operations were first documented more than a year ago, focusing on the exploitation of known vulnerabilities in several internet-facing devices. By leveraging security flaws in products from prominent companies such as Check Point, Cisco, and Palo Alto Networks, their initial access was facilitated. This trend of targeting security solutions like VPNs, firewalls, and email servers is increasingly evident among state-sponsored groups seeking prolonged network intrusions.
Tool Usage and Operational Strategies
A significant characteristic of RedNovember’s tactics is their use of Pantegana and Spark RAT, both of which are open-source tools. This strategy appears to be an intentional effort to obscure their activities and complicate attribution efforts. The group also employs the publicly available LESLIELOADER to deploy Spark RAT or Cobalt Strike Beacons on compromised systems, showcasing an adaptive method to exploit vulnerabilities.
Communication and Control
In its operational phases, RedNovember utilizes well-known VPN services such as ExpressVPN and Warp VPN to manage connections to servers involved in exploiting internet-facing devices. This approach enables the group to interact securely with its tools like Pantegana and Spark RAT, adding layers to their operational security.
Geographic Targeting Trends
From June 2024 through May 2025, RedNovember’s main focus has been on regions including Panama, the U.S., Taiwan, and South Korea. Notably, the group targeted Ivanti Connect Secure appliances associated with a U.S. engineering and military contractor as early as April 2025. There is also evidence suggesting that the group had aimed its efforts at the Microsoft Outlook Web Access (OWA) portals of a South American country during a crucial state visit to China.
Diverse Targeting Patterns
According to Recorded Future, RedNovember’s broad and ever-evolving targeting patterns suggest a wide range of intelligence goals. The group’s activities have predominantly concentrated on specific regions like Southeast Asia, the Pacific, and South America, reflecting distinct geopolitical interest.
By examining RedNovember’s tactics and strategies, security professionals can better understand the evolving landscape of cyber threats, particularly those emanating from state-sponsored actors. As these groups adapt and refine their methods, the importance of robust cybersecurity measures becomes increasingly evident.
