Note: The analysis cut-off date for this report was July 25, 2025
Executive Summary
In July 2024, Insikt Group publicly reported on TAG-100, a threat activity group conducting suspected cyber-espionage activity targeting high-profile government, intergovernmental, and private sector organizations globally using the open-source, multi-platform Go backdoor Pantegana. At the time, we did not attribute this activity to a particular country; however, after reviewing all available evidence, we assess that TAG-100 is highly likely a Chinese state-sponsored threat activity group. Accordingly, Insikt Group now tracks this group under the designation RedNovember.
Between June 2024 and July 2025, RedNovember (which overlaps with Storm-2077) targeted perimeter appliances of high-profile organizations globally and used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions. The group has expanded its targeting remit across government and private sector organizations, including defense and aerospace organizations, space organizations, and law firms.
Using Recorded Future Network Intelligence, Insikt Group identified new likely victims, which include a ministry of foreign affairs in central Asia, a state security organization in Africa, a European government directorate, and a Southeast Asian government. RedNovember also likely compromised at least two United States (US) defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia.
We observed RedNovember reconnoitering and likely compromising edge devices for initial access, including SonicWall, Cisco Adaptive Security Appliance (ASA), F5 BIG-IP, Palo Alto Networks GlobalProtect, Sophos SSL VPN, and Fortinet FortiGate instances, as well as Outlook Web Access (OWA) instances and Ivanti Connect Secure (ICS) VPN appliances.
RedNovember’s activity exemplifies the ability to combine weaponized proof-of-concept (PoC) exploits with open-source post-exploitation frameworks such as Pantegana, lowering the entry barrier for less-capable threat actors. It also allows higher-tier groups to refrain from using customized tools during operations in which they are less concerned with being detected or in which heightened attribution obfuscation is desirable.
Insikt Group followed responsible disclosure procedures in advance of this publication per Recorded Future's notification policy.
Key Findings
- RedNovember continues to rely on command-and-control (C2) frameworks (Pantegana and Cobalt Strike) and open-source backdoors (SparkRAT) for its operations.
- The threat group has significantly broadened its targeting, including by conducting spearphishing and vulnerability exploitation attempts against entities in the US Defense Industrial Base (DIB) and space organizations in Europe.
- At least some of the RedNovember activity that Insikt Group observed, including in Taiwan and Panama, took place in close proximity to geopolitical and military events of key strategic interest to China.
- RedNovember has also increasingly focused its initial access efforts on targeting edge devices, including security solutions such as VPNs, firewalls, load balancers, virtualization infrastructure, and email servers.
- In April 2025, the threat group conducted a campaign focused on the reconnaissance and targeting of Ivanti Connect Secure (ICS) VPN devices across multiple countries. Specific targets included a major US newspaper and a specialized US engineering and military contractor.
Background
RedNovember (previously tracked as TAG-100 and overlapping with Storm-2077) is a Chinese state-sponsored cyber-espionage group that leverages open-source tools and exploits internet-facing devices to target government, intergovernmental, and private sector organizations globally. Insikt Group has previously publicly reported on RedNovember’s use of the multi-platform Go-based backdoor Pantegana and other offensive security tools, including Cobalt Strike and SparkRAT, coupled with exploitation of perimeter appliances, to conduct reconnaissance, initial access, and probable compromise activities.
RedNovember’s strategic use of open-source capabilities allows the threat group to lower operational costs and obfuscate attribution, a tactic that aligns with broader state-sponsored cyber-espionage trends that Insikt Group has observed. Combining weaponized proof-of-concept (PoC) exploits and open-source tools enables RedNovember to operate at scale. RedNovember’s activity highlights the persistent vulnerabilities of perimeter devices, which remain a significant risk vector due to limited visibility and logging capabilities.
RedNovember is one of multiple other Chinese state-sponsored threat groups that are increasingly achieving initial access to targets by targeting vulnerabilities in internet-facing devices, including security products. Targeting internet-facing devices has proven to be an effective way for Chinese state-sponsored threat groups to scale initial access and achieve initial footholds in large numbers of organizations ahead of more targeted follow-on activity.
Technical Analysis
Since our initial public report on its activity, RedNovember has continued to use the Pantegana C2 framework and Cobalt Strike as part of its intrusion activity. From our visibility and collection, RedNovember also highly likely continues to use ExpressVPN to administer its servers and may, with realistic probability, have started using other VPNs such as Warp VPN to remotely connect to its infrastructure.
While monitoring RedNovember’s active C2 servers, Insikt Group observed a number of victims on a global scale across the public and private sectors, but concentrated in the following verticals: aerospace and defense, government, and professional services.
In addition to suspected compromise activity by RedNovember, we observed other network communications between multiple organizations and C2 servers associated with RedNovember, likely reflecting, at a minimum, general browsing activity and potentially reconnaissance efforts by the threat group. While the activity could be indicative of an intent to compromise, in these cases, there is currently insufficient evidence to reach such a conclusion.
The terms “compromise,” “targeting,” “reconnaissance,” and “browsing" are used specifically throughout this report to clarify the kind of activity observed. For example, where we assess that RedNovember compromised an entity, we will use terms such as “compromise” and “victim.”
Source: RecordedFuture
Source Link: https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations