RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
Essential information
- Published
- 09/01/2025 16:28
- Modified
- 09/01/2025 17:22
- Tags
- 2025-01-09 cloudflare cdn html microsoft azure plugx shortcut (lnk) file spearphishing
- Related entities
- 200 observables, 1 intrusion sets (apt), 16 techniques (mitre), 1 malware, 11 others
Description
Between July 2023 and December 2024, the Chinese state-sponsored group RedDelta targeted Mongolia, Taiwan, and Southeast Asian countries with an adapted infection chain to distribute its customized PlugX backdoor. The group used themed lure documents and evolved its tactics, transitioning from Windows Shortcut files to Microsoft Management Console Snap-In Control files, and finally to HTML files hosted on Microsoft Azure. RedDelta consistently used Cloudflare CDN to proxy command-and-control traffic, blending with legitimate traffic. The group's activities align with Chinese strategic priorities, focusing on governments and diplomatic organizations in the targeted regions.