New Insikt Group research examines RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. RedHotel's operations span 17 countries in Asia, Europe, and North America from 2021 to 2023. Its targets encompass academia, aerospace, government, media, telecommunications, and research sectors. Particularly focused on Southeast Asia's governments and private companies in specified sectors, RedHotel's infrastructure for malware command-and-control, reconnaissance, and exploitation points to administration in Chengdu, China. Its methods align with other contractor groups linked to China's Ministry of State Security (MSS), indicating a nexus of cyber talent and operations in Chengdu.
Schematic of RedHotel’s multi-tiered C2 infrastructure network
Since at least 2019, RedHotel has exemplified a relentless scope and scale of wider PRC state-sponsored cyber-espionage activity by maintaining a high operational tempo and targeting public and private sector organizations globally. The group has dual missions of intelligence gathering and economic espionage. It targets both government entities for traditional intelligence and organizations involved in COVID-19 research and technology R&D. Notably, it compromised a US state legislature in 2022, highlighting its expanded reach. The majority of observed victim organizations were government organizations, including prime ministers’ offices, finance ministries, legislative bodies, and interior ministries, aligning with the group’s likely espionage tasking. However, on some occasions, such as the group’s targeting of the Industrial Technology Research Institute (ITRI) in Taiwan, reported in July 2021, or of COVID-19 research, the likely motivation was industrial and economic espionage. The group’s historical targeting of the online gambling industry catering to the Chinese market is also indicative of wider trends across China-based cyber-espionage actors observed by Insikt Group, and is likely in part intended to gather intelligence in support of wider crackdowns on online gambling by the Chinese government.
RedHotel Tech Stack
RedHotel employs a multi-tiered infrastructure with a distinct focus on reconnaissance and long-term network access via command-and-control servers. The group’s multi-tier infrastructure setup consists of large quantities of provisioned virtual private servers (VPS) configured to act as reverse proxies for C2 traffic associated with the multiple malware families used by the group. These reverse proxy servers are typically configured to listen on standard HTTP(s) ports such as TCP 80, 443, 8080, and 8443) and to redirect traffic to upstream actor-controlled servers. These upstream servers are then likely directly administered by the threat actor using the open-source virtual private network (VPN) software SoftEther.
The group often utilizes a mix of offensive security tools, shared capabilities, and bespoke tooling, including Cobalt Strike, Brute Ratel C4, Winnti, ShadowPad, and the FunnySwitch and Spyder backdoors. Throughout 2022 and 2023, Insikt Group tracked over 100 C2 IP addresses in use by RedHotel, with the group heavily favoring particular hosting providers including AS-CHOOPA (Vultr), G-Core Labs S.A., and Kaopu Cloud HK Limited. Threat actor preference for particular hosting providers is likely influenced by factors such as cost, reliability, ease of setup, data center locations, perceived level of cooperation with or collection from governments and private sector organizations, and the speed and willingness with which hosting providers deal with malicious use of their services.
Recorded Future's Insikt Group observes various Chinese state-sponsored cyber threats, with RedHotel standing out for its broad scope and intensity of activity. RedHotel's campaigns include innovations such as exploiting a stolen code signing certificate and commandeering Vietnamese government infrastructure. Despite public exposure, RedHotel's bold approach suggests it will persist in its activities.
Defense Strategies
Organizations can defend against RedHotel activity by prioritizing hardening and vulnerability patching of internet-facing appliances (particularly corporate VPN, mail server, and network devices), logging and monitoring of these devices, and implementing network segmentation to limit exposure and lateral movement potential to internal networks
Note: This report summary was first published on August 8, 2023 and has been updated on October 29, 2024. The original analysis and findings remain unchanged.
To read the entire analysis with endnotes, click here to download the report as a PDF.
Appendix A — Indicators of Compromise
Domains: |
|---|
Appendix B — Mitre ATT&CK Techniques
Tactic: Technique | ATT&CK Code | Observable |
|---|---|---|
Reconnaissance: Active Scanning: Vulnerability Scanning | RedHotel has used vulnerability scanning tools such as Acunetix to scan externally facing appliances for vulnerabilities | |
Resource Development: Acquire Infrastructure: Domains | RedHotel has purchased domains, primarily via Namecheap. | |
Resource Development: Acquire Infrastructure: Virtual Private Server | RedHotel has provisioned actor-controlled VPS, with a preference for the providers Choopa (Vultr), G-Core, and Kaopu Cloud HK Limited. | |
Resource Development: Compromise Infrastructure: Server | RedHotel has also used compromised GlassFish servers as Cobalt Strike C2s and to scan target networks. | |
Initial Access: Exploit Public-Facing Application | RedHotel has exploited public-facing applications for initial access, including Zimbra Collaboration Suite (CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042, and CVE-2022-30333), Microsoft Exchange (ProxyShell), and the Log4Shell vulnerability in Apache Log4J. | |
Initial Access: Spearphishing: Spearphishing Attachment | RedHotel has used archive spearphishing attachments containing shortcut (LNK) files which fetch remotely hosted scripts (HTA, VBScript). These scripts are then used to trigger DLL search order hijacking infection chains and display decoy documents to users. | |
Persistence: Server Software Component: Web Shell | RedHotel has used web shells within victim environments and to interact with compromised GlassFish servers | |
Persistence:: Scheduled Task/Job: Scheduled Task | RedHotel has used scheduled tasks for persistence for the group’s Spyder backdoor:
| |
Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | The ScatterBee ShadowPad loader persists via the Run registry key and also stores the encrypted ShadowPad payload in the registry. | |
Defense Evasion: Obfuscated Files or Information | RedHotel has used the tool ScatterBee to obfuscate ShadowPad payloads. The group has also repeatedly stored encrypted or encoded payloads within files named | |
Defense Evasion: Deobfuscate/Decode Files or Information | ||
Defense Evasion: Subvert Trust Controls: Code Signing | RedHotel has signed malicious binaries using stolen code signing certificates (such as the referenced WANIN International certificate). | |
Defense Evasion: Hijack Execution Flow: DLL Search Order Hijacking | RedHotel has abused multiple legitimate executables for DLL search order hijacking, including | |
Defense Evasion: Masquerading: Match Legitimate Name or Location | RedHotel has used legitimate file names in tandem with DLL search order hijacking to load malicious DLLs. | |
Command and Control: Proxy: External Proxy | RedHotel has used VPS C2s to proxy traffic upstream to actor-controlled servers. | |
Command and Control: Application Layer Protocol: Web Protocols | RedHotel Brute Ratel and Cobalt Strike samples referenced within this report communicate over HTTPS. | |
Exfiltration: Exfiltration Over C2 Channel | RedHotel has exfiltrated data over malware C2 channels. |
