{ "id": "dcb5d60a-4c6d-496c-855d-c11ef06d3cc4", "created_at": "2026-04-06T00:16:31.855026Z", "updated_at": "2026-04-10T03:36:33.408958Z", "deleted_at": null, "sha1_hash": "eb17ca53f9815048e966b745c70bc7490a3a3b4f", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 62685, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:03:53 UTC\r\n APT group: RedDelta\r\nNames\r\nRedDelta (Recorded Future)\r\nTA416 (Proofpoint)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2020\r\nDescription (Recorded Future) From early May 2020, The Vatican and the Catholic Diocese of\r\nHong Kong were among several Catholic Church-related organizations that were\r\ntargeted by RedDelta, a Chinese-state sponsored threat activity group tracked by\r\nInsikt Group. This series of suspected network intrusions also targeted the Hong\r\nKong Study Mission to China and the Pontifical Institute for Foreign Missions\r\n(PIME), Italy. These organizations have not been publicly reported as targets of\r\nChinese threat activity groups prior to this campaign.\r\nThese network intrusions occured ahead of the anticipated September 2020 renewal\r\nof the landmark 2018 China-Vatican provisional agreement, a deal which reportedly\r\nresulted in the Chinese Communist Party (CCP) gaining more control and oversight\r\nover the country’s historically persecuted “underground” Catholic community. In\r\naddition to the Holy See itself, another likely target of the campaign includes the\r\ncurrent head of the Hong Kong Study Mission to China, whose predecessor was\r\nconsidered to have played a vital role in the 2018 agreement.\r\nThe suspected intrusion into the Vatican would offer RedDelta insight into the\r\nnegotiating position of the Holy See ahead of the deal’s September 2020 renewal.\r\nThe targeting of the Hong Kong Study Mission and its Catholic Diocese could also\r\nprovide a valuable intelligence source for both monitoring the diocese’s relations\r\nwith the Vatican and its position on Hong Kong’s pro-democracy movement amidst\r\nwidespread protests and the recent sweeping Hong Kong national security law.\r\nWhile there is considerable overlap between the observed TTPs of RedDelta and the\r\nthreat activity group publicly referred to as Mustang Panda, Bronze President (also\r\nknown as BRONZE PRESIDENT and HoneyMyte), there are a few notable\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=86850f9f-15d7-417a-8345-6fae5223f81a\r\nPage 1 of 3\n\ndistinctions which lead us to designate this activity as RedDelta:\n• The version of PlugX used by RedDelta in this campaign uses a different C2 traffic\nencryption method and has a different configuration encryption mechanism than\ntraditional PlugX.\n• The malware infection chain employed in this campaign has not been publicly\nreported as used by Mustang Panda.\nIn addition to the targeting of entities related to the Catholic Church, Insikt Group\nalso identified RedDelta targeting law enforcement and government entities in India\nand a government organization in Indonesia.\nObserved\nSectors: Government, Law enforcement, Telecommunications and The Vatican and\nCatholic Church-related organizations.\nCountries: Australia, Cambodia, China, Czech, Ethiopia, Germany, Hong Kong,\nIndia, Indonesia, Italy, Mongolia, Myanmar, Slovakia, Spain, Ukraine, USA,\nVietnam.\nTools used Cobalt Strike, PlugX, Poison Ivy.\nOperations performed\nAug 2020\nRedDelta Resumes Its Targeting of the Vatican and Hong Kong\nCatholic Diocese\nSep 2020\nFollowing the Chinese National Day holiday in September, Proofpoint\nresearchers observed a resumption of activity by the APT actor\nTA416.\nMar 2021\nOperation “Dianxun”\nOperation Diànxùn: Cyberespionage Campaign Targeting\nTelecommunication Companies\nFeb 2022\nMost recently on February 28, 2022, TA416 began using a\ncompromised email address of a diplomat from a European NATO\ncountry to target a different country’s diplomatic offices. The targeted\nindividual worked in refugee and migrant services.\nJul 2023 Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and\nSoutheast Asia with Adapted PlugX Infection Chain\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=86850f9f-15d7-417a-8345-6fae5223f81a\nPage 2 of 3\n\n\u003chttps://go.recordedfuture.com/hubfs/reports/cta-cn-2025-0109.pdf\u003e\r\nInformation \u003chttps://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf\u003e\r\nLast change to this card: 22 February 2025\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=86850f9f-15d7-417a-8345-6fae5223f81a\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=86850f9f-15d7-417a-8345-6fae5223f81a\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=86850f9f-15d7-417a-8345-6fae5223f81a" ], "report_names": [ "showcard.cgi?u=86850f9f-15d7-417a-8345-6fae5223f81a" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434591, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eb17ca53f9815048e966b745c70bc7490a3a3b4f.pdf", "text": "https://archive.orkl.eu/eb17ca53f9815048e966b745c70bc7490a3a3b4f.txt", "img": "https://archive.orkl.eu/eb17ca53f9815048e966b745c70bc7490a3a3b4f.jpg" } }