Chinese Hackers Escalate Global Cyber Espionage Campaign

Spread love

From defence contractors to ministries of foreign affairs, the state-linked group dubbed RedNovember is expanding its reach across continents, raising alarms about Beijing’s cyber strategy.

By TRH News Desk

NEW DELHI, September 27, 2025 — According to The Hacker News, a Chinese state-sponsored hacking group known as RedNovember has been implicated in a sweeping cyber espionage campaign targeting governments and private sector organizations across Africa, Asia, the Americas, and Oceania. Security intelligence firm Recorded Future, which earlier tracked the group as TAG-100, has reclassified it as RedNovember, while Microsoft monitors the same cluster as Storm-2077.

Between June 2024 and July 2025, RedNovember exploited internet-facing perimeter appliances, deploying the Go-based backdoor Pantegana and the well-known offensive toolkit Cobalt Strike, The Hacker News reported. The campaign has struck high-profile organizations including a ministry of foreign affairs in Central Asia, a state security body in Africa, a European government directorate, and a Southeast Asian intergovernmental trade institution. In addition, at least two US defence contractors and a European engine manufacturer were compromised.

The Hacker News notes that RedNovember’s tactics mirror a broader trend in Chinese cyber operations—targeting VPNs, firewalls, virtualization infrastructure, and email servers from vendors such as Cisco, Citrix, Fortinet, and Palo Alto Networks. The group has leveraged known vulnerabilities, including CVE-2024-24919 in Check Point appliances and CVE-2024-3400 in Palo Alto Networks’ products.

The group’s adoption of open-source tools like Pantegana and Spark RAT reflects a deliberate strategy: repurpose legitimate or widely available frameworks to complicate attribution. This is coupled with LESLIELOADER, a Go-based loader used to launch Spark RAT or Cobalt Strike beacons. RedNovember has also relied on consumer VPNs such as ExpressVPN and Warp VPN to mask its infrastructure and manage command-and-control traffic.

The operational footprint has been global, with heavy targeting of the US, Panama, Taiwan, and South Korea. Notably, The Hacker News cites Recorded Future’s findings that RedNovember attempted to compromise Microsoft Outlook Web Access (OWA) portals in a South American country just ahead of a high-profile state visit to China—a clear indication of intelligence-gathering intent.

As The Hacker News emphasizes, RedNovember’s campaigns highlight both the adaptability and persistence of Chinese espionage groups. By weaponizing ubiquitous enterprise technologies and co-opting open-source tools, Beijing-linked hackers are signaling that no sector—from aerospace to legal services—is beyond reach.