RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns

RedDelta has targeted Vietnam, Cambodia, Taiwan, Mongolia, and Myanmar. A customized version of the PlugX backdoor is allegedly delivered by the China-nexus threat actor. The Communist Party of Vietnam in November 2024 and the Mongolian Ministry of Defense in August 2024 are thought to have been compromised by the threat actor.

Recent attacks have weaponized Visual Studio Code tunnels as part of espionage operations targeting government entities in Southeast Asia, demonstrating the hacking crew's reputation for continuously improving its infection chain. The announcement coincides with a Bloomberg report that the recent cyberattack aimed at the America. A fellow hacker collective called Silk Typhoon (also known as Hafnium) was responsible for the Treasury Department attack, which was previously linked to the early 2021 zero-day exploitation of four security holes in Microsoft Exchange Server (also known as ProxyLogon).

The group has been seen to proxy command-and-control (C2) traffic to the attacker-run C2 servers via the Cloudflare content delivery network (CDN). This is done in an effort to blend in with genuine CDN traffic and make detection more difficult. According to Recorded Future's Insikt Group, all ten IP addresses are registered to China Unicom Henan Province.

According to a statement from the company, "RedDelta's activities align with Chinese strategic priorities, focusing on governments and diplomatic organizations in Southeast Asia, Mongolia, and Europe." It further stated, "The group's targeting of Taiwan and Mongolia is consistent with the group's past targeting of groups seen as threats to the Chinese Communist Party's power." Ten administrative servers were found to be in communication with two known RedDelta C1 servers and ten known RedDelta C2 server addresses, according to the company.