{
	"id": "d25d3e1f-a140-4654-bf5d-723b11269835",
	"created_at": "2026-04-06T00:09:39.879218Z",
	"updated_at": "2026-04-10T13:11:49.99178Z",
	"deleted_at": null,
	"sha1_hash": "8e3a0c5eb55bff51cf9739b549663e320f32c396",
	"title": "Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 651066,
	"plain_text": "Chinese Hackers RedNovember Target Global Governments Using\r\nPantegana and Cobalt Strike\r\nBy The Hacker News\r\nPublished: 2025-09-24 · Archived: 2026-04-05 18:13:12 UTC\r\nA suspected cyber espionage activity cluster that was previously found targeting global government and private\r\nsector organizations spanning Africa, Asia, North America, South America, and Oceania has been assessed to be a\r\nChinese state-sponsored threat actor.\r\nRecorded Future, which was tracking the activity under the moniker TAG-100, has now graduated it to a hacking\r\ngroup dubbed RedNovember. It's also tracked by Microsoft as Storm-2077.\r\n\"Between June 2024 and July 2025, RedNovember (which overlaps with Storm-2077) targeted perimeter\r\nappliances of high-profile organizations globally and used the Go-based backdoor Pantegana and Cobalt Strike as\r\npart of its intrusions,\" the Mastercard-owned company said in a report shared with The Hacker News.\r\n\"The group has expanded its targeting remit across government and private sector organizations, including defense\r\nand aerospace organizations, space organizations, and law firms.\"\r\nhttps://thehackernews.com/2025/09/chinese-hackers-rednovember-target.html\r\nPage 1 of 3\n\nSome of the likely new victims of the threat actor include a ministry of foreign affairs in central Asia, a state\r\nsecurity organization in Africa, a European government directorate, and a Southeast Asian government. The group\r\nis also believed to have breached two at least two United States (U.S.) defense contractors, a European engine\r\nmanufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia.\r\nRedNovember was first documented by Recorded Future over a year ago, detailing its use of the Pantegana post-exploitation framework and Spark RAT following the weaponization of known security flaws in several internet-facing perimeter appliances from Check Point (CVE-2024-24919), Cisco, Citrix, F5, Fortinet, Ivanti, Palo Alto\r\nNetworks (CVE-2024-3400), and SonicWall for initial access.\r\nThe focus on targeting security solutions such as VPNs, firewalls, load balancers, virtualization infrastructure, and\r\nemail servers mirrors a trend that has been increasingly adopted by other Chinese state-sponsored hacking groups\r\nto break into networks of interest and maintain persistence for extended periods of time.\r\nA noteworthy aspect of the threat actor's tradecraft is the use of Pantegana and Spark RAT, both of which are\r\nopen-source tools. The adoption is likely an attempt to repurpose existing programs to their advantage and confuse\r\nattribution efforts, a hallmark of espionage actors.\r\nThe attacks also involve the use of a variant of the publicly available Go-based loader LESLIELOADER to launch\r\nSpark RAT or Cobalt Strike Beacons on compromised devices.\r\nRedNovember is said to make use of VPN services like ExpressVPN and Warp VPN to administer and connect to\r\ntwo sets of servers that are used for exploitation of internet-facing devices and communicate with Pantegana,\r\nSpark RAT, and Cobalt Strike, another legitimate program that has been widely abused by bad actors.\r\nhttps://thehackernews.com/2025/09/chinese-hackers-rednovember-target.html\r\nPage 2 of 3\n\nBetween June 2024 and May 2025, much of the hacking group's targeting efforts have been focused on Panama,\r\nthe U.S., Taiwan, and South Korea. As recently as April 2025, it has been found to target Ivanti Connect Secure\r\nappliances associated with a newspaper and an engineering and military contractor, both based in the U.S.\r\nRecorded Future said it also identified the adversary likely targeting the Microsoft Outlook Web Access (OWA)\r\nportals belonging to a South American country before that country's state visit to China.\r\n\"RedNovember has historically targeted a diverse range of countries and sectors, suggesting broad and changing\r\nintelligence requirements,\" the company noted. \"RedNovember's activity to date has primarily focused on several\r\nkey geographies, including the U.S., Southeast Asia, the Pacific region, and South America.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2025/09/chinese-hackers-rednovember-target.html\r\nhttps://thehackernews.com/2025/09/chinese-hackers-rednovember-target.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thehackernews.com/2025/09/chinese-hackers-rednovember-target.html"
	],
	"report_names": [
		"chinese-hackers-rednovember-target.html"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "64a08f65-4ef8-4ad5-bac1-ce4e0fd2808c",
			"created_at": "2024-08-28T02:02:09.663698Z",
			"updated_at": "2026-04-10T02:00:04.927384Z",
			"deleted_at": null,
			"main_name": "TAG-100",
			"aliases": [
				"Storm-2077"
			],
			"source_name": "ETDA:TAG-100",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"CrossC2",
				"LESLIELOADER",
				"Pantegana",
				"SparkRAT",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "db5b833a-965e-4f46-b75d-7e829466a5fa",
			"created_at": "2024-12-21T02:00:02.843374Z",
			"updated_at": "2026-04-10T02:00:03.780907Z",
			"deleted_at": null,
			"main_name": "Storm-2077",
			"aliases": [
				"TAG-100",
				"RedNovember"
			],
			"source_name": "MISPGALAXY:Storm-2077",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434179,
	"ts_updated_at": 1775826709,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e3a0c5eb55bff51cf9739b549663e320f32c396.pdf",
		"text": "https://archive.orkl.eu/8e3a0c5eb55bff51cf9739b549663e320f32c396.txt",
		"img": "https://archive.orkl.eu/8e3a0c5eb55bff51cf9739b549663e320f32c396.jpg"
	}
}