2025-01-09 RedDelta Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats

📃Title: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
📅Date: 2025-01-09
🔗References:

• https://www.recordedfuture.com/research/reddelta-chinese-state-sponsored-group-targets-mongolia-taiwan-southeast-asia

Description

Between July 2023 and December 2024, the Chinese state-sponsored group RedDelta targeted Mongolia, Taiwan, and Southeast Asian countries with an adapted infection chain to distribute its customized PlugX backdoor. The group used themed lure documents and evolved its tactics, transitioning from Windows Shortcut files to Microsoft Management Console Snap-In Control files, and finally to HTML files hosted on Microsoft Azure. RedDelta consistently used Cloudflare CDN to proxy command-and-control traffic, blending with legitimate traffic. The group’s activities align with Chinese strategic priorities, focusing on governments and diplomatic organizations in the targeted regions.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: TA-profile
• target: targeted
• MY-relevancy: relevant
• action-taken: diamond-model

🔖MISP Galaxies:

• producer Recorded-Future
• target-information=“Mongolia”
• target-information=“Taiwan”
• target-information=“Myanmar”
• target-information=“Cambodia”
• target-information=“Malaysia”
• target-information=“Japan”
• target-information=“Ethiopia”
• target-information=“India”
• threat-actor RedDelta
• mitre-malware=“PlugX - S0013”
• malpedia=“Unidentified 115 (Nim Loader)”
• mitre-attack-pattern=[‘T1132.001’, ‘T1036.005’, ‘T1204.002’, ‘T1573.001’, ‘T1566.002’, ‘T1566.001’, ‘T1574.001’, ‘T1082’, ‘T1218.007’, ‘T1140’, ‘T1583.001’, ‘T1583.003’, ‘T1102’, ‘T1059.001’, ‘T1547.001’, ‘T1071.001’]

MISP event uuid: 347c0089-b4d3-4cbc-862d-3666180df28b

Indicator of Compromise (IoCs)

type,value,comment
sha256, 2232cd249be265d092ea923452f82aae28f965b48897fe6f05a7cd4495fcd96e, 'Shortcut (LNK) File No sample in VT\r\nLast check:14/01/2025'
sha256, aaad74fbf1b3f499aa2be9f5a86f0d6427c2d807c27532090671295a2b5d67e0, 'Shortcut (LNK) File No sample in VT\r\nLast check:14/01/2025'
sha256, 6e37ad572f1e7d228c8c0c7cb1ef2d966d16d681669587cfb80e063106d77a6e, 'Shortcut (LNK) File No sample in VT\r\nLast check:14/01/2025'
sha256, 6ac4b0fd81e317615e0935e83874ef997b7bff3aff2f391405a2e22161f4fd45, 'Shortcut (LNK) File No sample in VT\r\nLast check:14/01/2025'
sha256, dd2d8fb565b18065bde545da16f67f31036b4d45dec5b82caa74e30a617e85e8, 'Shortcut (LNK) File No sample in VT\r\nLast check:14/01/2025'
sha256, 945f7ca6ce890f6cd1813b0ed1912ef25ed4a5f11da0fe97c20fe443bd4489a1, 'Shortcut (LNK) File No sample in VT\r\nLast check:14/01/2025'
sha256, 042045687882ec8dc2d61e26e86e56620c4a1e694b46f9ce814b060cb0cf4bb5, 'Shortcut (LNK) File No sample in VT\r\nLast check:14/01/2025'
sha256, 5479927c78faed415853c3ba3798dfff93d4047a17c3c4d87f7dc1ce8289395c, 'Shortcut (LNK) File No sample in VT\r\nLast check:14/01/2025'
sha256, d8981d4cbca9b99828a9459e4abfbbe20a221bfc59fc0f2a6d6a751c363b26c4, 'Shortcut (LNK) File No sample in VT\r\nLast check:14/01/2025'
sha256, c6bd2c31ebaa8d51964c49a22bc796aa506e594d6f1b1043b01d0baf58836172, 'Shortcut (LNK) File No sample in VT\r\nLast check:14/01/2025'
sha256, df3e5c62fa7086eec23c04cb52a17d64aa0b4f252551c8a65c599291a7cee61f, 'Shortcut (LNK) File No sample in VT\r\nLast check:14/01/2025'
sha256, 2c791775e66a77fe72aa826823f554bfe9a41525c6c1c14798cf56a42925db31, 'Shortcut (LNK) File No sample in VT\r\nLast check:14/01/2025'
sha256, a7735182b7f9f2c10af3f8d2d10634c344d984f6e53e7a3787e4d3d756a7a0a0, 'DLL file No sample in VT\r\nLast check:14/01/2025'
sha256, 53bafcf064d421341c582d93108e84df2f0e284c2b0a4dc2deb9099aa953bf5a, 'DLL file No sample in VT\r\nLast check:14/01/2025'
sha256, 7a16ba2f0d2c4f7779b67e41f8196ddc6652ca7b61607696ed154df83c8d7b9c, 'DLL file No sample in VT\r\nLast check:14/01/2025'
sha256, 749d8980d80966480c85c112a10e1be3d391c1f4673977e880fa461edc2cbf18, 'DLL file No sample in VT\r\nLast check:14/01/2025'
sha256, 2220a9297876d7ffb5ad8da4d35ed7b2c8746129f66056e81c4f74a6bb224fd7, 'DLL file No sample in VT\r\nLast check:14/01/2025'
sha256, 3ced0837225b635f2ed63e4f72f95933d804e089a21eb8022407a74d772bb94f, 'DLL file No sample in VT\r\nLast check:14/01/2025'
sha256, f1f58fda25e2a6dde9cab4faf02f7246d2a8ab2c96b4b055deea4093eee9d0e6, 'DLL file No sample in VT\r\nLast check:14/01/2025'
sha256, 77f813a461b4f1f1c765d951f0bf04668d96efea72cb8ecfb594ea2e36153cf8, 'DLL file No sample in VT\r\nLast check:14/01/2025'
sha256, dc155cb86f5240c2c39c851e006e39cb33ed9b52e0633cbcdcc2164a47a93e22, 'DLL file No sample in VT\r\nLast check:14/01/2025'
sha256, 5400fda058d7a13c27e9c95453634e4fee9a421023e0d4482f3eacc198caa928, 'DLL file No sample in VT\r\nLast check:14/01/2025'
sha256, f1812ca5170af2401d501561d2a3036379752d22111b10f9ac570587364c82aa, 'DLL file No sample in VT\r\nLast check:14/01/2025'
sha256, e1c85c49982339770189f7947b5bfeb926bc3e4e1d1c63655cb0f8cfdc82a647, 'DLL file No sample in VT\r\nLast check:14/01/2025'
sha256, abd5a09ec75ff36df87ece894cab441ef7f021f5bdd8ba55d00b8ed8aac03ab4, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, 7b8dbfe66d16ad627d3864bd5d396b98a86c75aa4a3d87067a03221d73a560c1, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, 52ba1bd4d40202c24cb896a355f094dbe0dc6e211f5ddd5b59f0c39b99203172, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, b02b2c0a9209f20dab4efbc458160f5a9efdb81b6474ec10bb727295a86d825a, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, 7f382a8b19613d078e4b78b677cb7592cab7c17577638e7ecad0a4952c6f4055, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, aafff72a8c4ad7be37b25e3686a28a11f1d29a0acc771cac1974e17c176c5ed1, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, 16dd782942b25aa2eb61bc7de36820444b9f55846c815e249a942b52c61be6b5, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, d674025113d350438a11439d56db111881de887fea41b2d168c6c2b8d8c22014, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, ca963057e69914d7e6c40aa7c43b393a1516f6dfdd2abfed12ddaa21fc2cfcce, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, 96085a217f0841bae3fe77ecf60785a5cf4051748e90c818cf6160f7fd00b12e, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, bde73773529ec32161fb8a675b50678771bf317a83f3dd8d0c47f54bdc665722, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, 94ad60e87518ac2f655be1b0297e0109da3ef0ae733357206e3e87712c5dfba7, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, 4ac2a633904b0da3ac471776ecbaded91e1f3a5107630fafde76868cace46051, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, 75e849cc96c573fdfe0233b4d9a79c17fb4c40f15c0b6c0d847c461a30f1cbe8, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
sha256, 5dae5254493df246c15e52fd246855a5d0a248f36925cecee141348112776275, 'Encrypted Payloads (DAT) No sample in VT\r\nLast check:14/01/2025'
domain, abecopiers.com, ''
domain, alicevivianny.com, ''
domain, aljazddra.com, ''
domain, alphadawgrecords.com, ''
domain, alvinclayman.com, ''
domain, antioxidantsnews.com, ''
domain, armzrace.com, ''
domain, artbykathrynmorin.com, ''
domain, atasensors.com, ''
domain, bkller.com, ''
domain, bonuscuk.com, ''
domain, bramjtop.com, ''
domain, buyinginfo.org, ''
domain, calgarycarfinancing.com, ''
domain, comparetextbook.com, ''
domain, conflictaslesson.com, ''
domain, councilofwizards.com, ''
domain, crappienews.com, ''
domain, createcopilot.com, ''
domain, cuanhuaanbinh.com, ''
domain, dmfarmnews.com, ''
domain, electrictulsa.com, ''
domain, elevateecom.com, ''
domain, epsross.com, ''
domain, erpdown.com, ''
domain, estmongolia.com, ''
domain, financialextremed.com, ''
domain, finasterideanswers.com, ''
domain, flaworkcomp.com, ''
domain, flfprlkgpppg.shop, ''
domain, getfiledown.com, ''
domain, getupdates.net, ''
domain, glassdoog.org, ''
domain, globaleyenews.com, ''
domain, goclamdep.net, ''
domain, goodrapp.com, ''
domain, gulfesolutions.com, ''
domain, hajjnewsbd.com, ''
domain, hisnhershealthynhappy.com, ''
domain, homeimageidea.com, ''
domain, howtotopics.com, ''
domain, importsmall.com, ''
domain, indiinfo.com, ''
domain, infotechtelecom.com, ''
domain, inhller.com, ''
domain, instalaymantiene.com, ''
domain, iplanforamerica.com, ''
domain, irprofiles.com, ''
domain, itduniversity.com, ''
domain, ivibers.com, ''
domain, jorzineonline.com, ''
domain, kelownahomerenovations.com, ''
domain, kentscaffolders.com, ''
domain, kerrvillehomeschoolers.com, ''
domain, kxmmcdmnb.online, ''
domain, lebohdc.com, ''
domain, linkonmarketing.com, ''
domain, loginge.com, ''
domain, lokjopppkuimlpo.shop, ''
domain, londonisthereason.com, ''
domain, looksnews.com, ''
domain, maineasce.com, ''
domain, meetviberapi.com, ''
domain, mexicoglobaluniversity.com, ''
domain, mobilefiledownload.com, ''
domain, mojhaloton.com, ''
domain, mongolianshipregistrar.com, ''
domain, mrytlebeachinfo.com, ''
domain, myynzl.com, ''
domain, newslandtoday.net, ''
domain, normalverkehr.com, ''
domain, nymsportsmen.com, ''
domain, oncalltechnical.com, ''
domain, onmnews.com, ''
domain, pgfabrics.com, ''
domain, pinaylizzie.com, ''
domain, profilepimpz.com, ''
domain, quickoffice360.com, ''
domain, redactnews.com, ''
domain, reformporta.com, ''
domain, richwoodgrill.com, ''
domain, riversidebreakingnews.com, ''
domain, rpcgenetics.com, ''
domain, sangkayrealnews.com, ''
domain, shreyaninfotech.com, ''
domain, smldatacenter.com, ''
domain, spencerinfo.net, ''
domain, starlightstar.com, ''
domain, tasensors.com, ''
domain, techoilproducts.com, ''
domain, thelocaltribe.com, ''
domain, tigermm.com, ''
domain, tigernewsmedia.com, ''
domain, tophooks.org, ''
domain, truckingaccidentattorneyblog.com, ''
domain, truff-evadee.com, ''
domain, tychonews.com, ''
domain, unixhonpo.com, ''
domain, usedownload.com, ''
domain, vanessalove.com, ''
domain, versaillesinfo.com, ''
domain, vopaklatinamerica.com, ''
domain, windowsfiledownload.com, ''
domain, xxmodkiufnsw.shop, ''
domain, 365officemail.com, ''
domain, 7gzi.com, ''
url, https://getfiledown.com/utdkt, 'Additional Staging Domain'
url, https://versaillesinfo.com/brjwcabz, 'Additional Staging Domain'
url, https://lifeyomi.com/trkziu, 'Additional Staging Domain'
url, https://lebohdc.com/uleuodmm, 'Additional Staging Domain'
url, https://cdn7s65.z13.web.core.windows.net/, 'Additional Staging Domain'
url, https://edupro4.z13.web.core.windows.net/, 'Additional Staging Domain'
url, https://elevateecom.com/deqcehfg, 'Additional Staging Domain'
url, https://vabercoach.com/uenic, 'Additional Staging Domain'
url, https://artbykathrynmorin.com/lczjnmum, 'Additional Staging Domain'
ip-dst, 115.61.168.143, 'RedDelta Administration Server'
ip-dst, 115.61.168.170, 'RedDelta Administration Server'
ip-dst, 115.61.168.229, 'RedDelta Administration Server'
ip-dst, 115.61.169.139, 'RedDelta Administration Server'
ip-dst, 115.61.170.105, 'RedDelta Administration Server'
ip-dst, 115.61.170.70, 'RedDelta Administration Server'
ip-dst, 182.114.108.91, 'RedDelta Administration Server'
ip-dst, 182.114.108.93, 'RedDelta Administration Server'
ip-dst, 182.114.110.11, 'RedDelta Administration Server'
ip-dst, 182.114.110.170, 'RedDelta Administration Server'
ip-dst, 103.79.120.92, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 45.83.236.105, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 116.206.178.67, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 45.133.239.183, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 116.206.178.68, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 103.238.225.248, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 45.133.239.21, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 103.238.227.183, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 103.107.104.37, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 107.148.32.206, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 167.179.100.144, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 116.206.178.34, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 149.104.2.160, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 207.246.106.38, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 45.76.132.25, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 155.138.203.78, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 144.76.60.136, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 38.180.75.197, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 107.155.56.15, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 107.155.56.87, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 202.91.36.213, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 107.155.56.4, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 149.104.12.64, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 154.205.136.105, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 223.26.52.208, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 45.128.153.73, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 96.43.101.245, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 45.135.119.132, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 161.97.107.93, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 103.107.105.81, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 103.107.104.4, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 103.107.104.57, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 154.90.47.123, 'RedDelta C2 Servers (October–December 2024)'
ip-dst, 147.78.12.202, 'RedDelta C2 Servers (October–December 2024)'

Full IOCs available in Rectifyq's MISP```