• Vulnerable U
  • Posts
  • China's RedDelta APT Shifts Tactics to Deliver Custom PlugX Backdoor

China's RedDelta APT Shifts Tactics to Deliver Custom PlugX Backdoor

The group is highly capable and has shown the ability to compromise many different targets

Author

Newsroom
January 10, 2025

Researchers have identified new infrastructure and infection chains being used by RedDelta, a Chinese state-aligned threat group that has been targeting NGOs and other organizations in Taiwan, Myanmar, Vietnam, and likely the United States and other western countries with a custom version of the PlugX backdoor. 

Why It Matters: RedDelta is a Chinese APT that has been active for at least 13 years and is known to target a variety of organizations in Asia, often using spearphishing lures tied to current political events in the region. The group is highly capable and has shown the ability to compromise many different targets, primarily in Windows environments. RedDelta’s activities overlap with threat groups tracked by other security firms as Mustang Panda, Twill Typhoon, and Vertigo Panda, among other monikers. The group has recently modified its tactics and infection chain as part of a campaign that has targeted victims in Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia, according to a new analysis by Recorded Future’s Insikt Group. 

Key Details

  • The campaign that Insikt Group uncovered began in July 2023 and continued through at least December 2024

  • In the second half of 2023 RedDelta began using LNK files as the initial portion of its infection chain. Those files then download an MSI file that installed a search order hijacking tool that eventually loaded the PlugX backdoor.

  • More recently, the group shifted techniques again, moving to a simple spearphishing link that loads a remote HTML file that then leads to the same infection chain

  • RedDelta has used the Cloudflare CDN as a way to proxy C2 traffic to their own servers as a way to disguise their activity

  • The group deploys a customized version of the PlugX backdoor, a RAT that many different Chinese APTs have used for years

Big Picture: RedDelta consistently targets victims in NGOs in Asia, including Mongolian Buddhist activists, academics in Japan and Mongolia, as well as some victims in the U.S. and other western countries. “Insikt Group anticipates that RedDelta will continue targeting organizations worldwide with its customized PlugX backdoor, focusing on Southeast Asia and China’s periphery, including Mongolia and Taiwan. Likely targets include governments, NGOs, activists, and religious organizations. RedDelta has continually evolved its infection chain and is anticipated to continue doing so in the future in response to major geopolitical developments,” the Insikt Group analysis says.