Between July 2023 and December 2024, Insikt Group observed the Chinese state-sponsored group RedDelta targeting Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia with an adapted infection chain to distribute its customized PlugX backdoor. The group used lure documents themed around the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia, and meeting invitations, including an Association of Southeast Asian Nations (ASEAN) meeting. RedDelta likely compromised the Mongolian Ministry of Defense in August 2024 and the Communist Party of Vietnam in November 2024. The group conducted spearphishing targeting the Vietnamese Ministry of Public Security, but Insikt Group observed no evidence of successful compromise. From September to December 2024, RedDelta likely targeted victims in Malaysia, Japan, the United States, Ethiopia, Brazil, Australia, and India.

In late 2023, RedDelta evolved the first stage of its infection chain to leverage a Windows Shortcut (LNK) file likely delivered via spearphishing. In 2024, the group transitioned to using Microsoft Management Console Snap-In Control (MSC) files. Most recently, RedDelta used spearphishing links to prompt a victim to load an HTML file remotely hosted on Microsoft Azure. Since July 2023, RedDelta has consistently used the Cloudflare content distribution network (CDN) to proxy command-and-control (C2) traffic, which enables the group to blend in with legitimate CDN traffic and complicates victim identification. Other state-sponsored groups, including Russia’s BlueAlpha, have similarly leveraged Cloudflare to evade detection.

RedDelta’s activities align with Chinese strategic priorities, focusing on governments and diplomatic organizations in Southeast Asia, Mongolia, and Europe. The group’s Asia-focused targeting in 2023 and 2024 represents a return to the group’s historical focus after targeting European organizations in 2022. RedDelta’s targeting of Mongolia and Taiwan is consistent with the group’s past targeting of groups seen as threats to the Chinese Communist Party’s power.

About RedDelta:

RedDelta has been active since at least 2012 and has focused on targeting Southeast Asia and Mongolia. The group has routinely adapted its targeting in response to global geopolitical events. RedDelta targeted the Vatican and other Catholic organizations with PlugX before 2021 talks between China and the Vatican. The has group compromised law enforcement and government entities in India, a government organization in Indonesia, and other targets across Myanmar, Hong Kong, and Australia.

In 2022, RedDelta shifted toward increased targeting of European government and diplomatic entities following Russia's invasion of Ukraine. This activity used an infection chain that began by delivering an archive file (ZIP, RAR, or ISO), which was likely delivered via spearphishing. The file contained a Windows Shortcut (LNK) file disguised with a double extension (such as .doc.lnk) and a Microsoft Word icon. Hidden folders within the archive contained three files used to complete dynamic-link library (DLL) search order hijacking: a legitimate binary, a malicious DLL loader, and an encrypted PlugX payload that was ultimately loaded into memory. User execution of the Shortcut file led to DLL search order hijacking. In November 2022, RedDelta evolved its tactics to stage the ISO file on a threat actor-controlled domain.

In March 2023, Insikt Group identified RedDelta targeting Mongolia using a similar infection chain that started with a container file (RAR, ZIP, ISO) consisting of an LNK file that triggered a DLL search order hijacking triad located within a hidden nested subdirectory. Decoy documents included an invitation from the World Association of Mongolia and a document claiming to be a BBC news interview about Tibetan Buddhism and Mongolia. RedDelta targeted:

Members of multiple Mongolian non-governmental organizations (NGOs), including a human rights and pro-democracy NGO focused on the Inner Mongolia Autonomous Region

Mongolian Buddhist activists in Mongolia and Japan

Academic professionals in Mongolia and Japan

Developers of two Mongolian mobile applications

Mitigations:

To detect and mitigate RedDelta activity, organizations should:

Use YARA and Sigma rules provided by Insikt Group to detect RedDelta Windows Installer (MSI), DLL, and LNK files (see below).

Configure intrusion detection systems (IDS), intrusion prevention systems (IPS), and other network defense mechanisms to alert on or block connection attempts from external IP addresses and domains associated with RedDelta (see below).

Keep software and applications — particularly operating systems, antivirus software, and core system utilities — up to date.

Filter email correspondence and scrutinize attachments for malware.

Conduct regular system backups and store them offline and offsite to ensure they are inaccessible via the network.

Adhere to strict compartmentalization of company-sensitive data, institute role-based access, and limit company-wide data access.

Deploy client-based host logging and intrusion detection capabilities to identify and thwart attacks early.

Prevent threat actors from bypassing security by disabling outdated authentication methods.

Implement tools like network IDS, NetFlow collection, host logging, and web proxy, alongside manual monitoring of detection sources.

Practice network segmentation and ensure special protections exist for sensitive information, such as multifactor authentication, and restricted accesss.

Leverage the Recorded Future® Third-Party Intelligence module and Threat Intelligence Browser Extension for real-time monitoring and prioritized vulnerability patching.

Review public guidance (1, 2, 3, 4) and Insikt Group’s “Charting China’s Climb as a Leading Global Cyber Power” report for comprehensive recommendations for mitigating Chinese advanced persistent threat activity more broadly.

Outlook:

Insikt Group anticipates that RedDelta will continue targeting organizations worldwide with its customized PlugX backdoor, focusing on Southeast Asia and China’s periphery, including Mongolia and Taiwan. Likely targets include governments, NGOs, activists, and religious organizations. RedDelta has continually evolved its infection chain and is anticipated to continue doing so in the future in response to major geopolitical developments.

To read the entire analysis, click here to download the report as a PDF.