The Rise of RedNovember: Chinese State-Sponsored Cyber Espionage
Recently, a suspected cyber espionage activity cluster has been identified targeting global government and private sector organizations across continents. This threat actor, previously known as TAG-100, has now been named RedNovember, also tracked by Microsoft as Storm-2077.
According to a report by Recorded Future, RedNovember has been active between June 2024 and July 2025, focusing on high-profile organizations worldwide. The group has targeted perimeter appliances using backdoors such as Pantegana and Cobalt Strike for intrusions.
Expanding Targeting Remit
RedNovember has expanded its scope to include government and private sector organizations in defense, aerospace, space, and law firms. New victims of this threat actor range from a ministry of foreign affairs in central Asia to US defense contractors and European government entities.
Utilizing known security flaws in internet-facing perimeter appliances, RedNovember has gained initial access to networks. The group’s focus on VPNs, firewalls, and email servers aligns with tactics employed by Chinese state-sponsored hacking groups.
Advanced Tradecraft and Tactics
A distinctive aspect of RedNovember’s operations is the use of open-source tools like Pantegana and Spark RAT to obfuscate attribution efforts. Additionally, the group leverages legitimate programs like Cobalt Strike to maintain persistence on compromised devices.
RedNovember utilizes VPN services like ExpressVPN and Warp VPN to connect to servers for exploitation, communication, and administration. The group’s activities involve launching Cobalt Strike Beacons on compromised devices using a Go-based loader called LESLIELOADER.
Global Reach and Intelligence Requirements
Throughout June 2024 and May 2025, RedNovember has targeted countries such as Panama, the US, Taiwan, and South Korea. Recent attacks on Ivanti Connect Secure appliances in the US highlight the group’s persistent targeting of critical infrastructure.
Recorded Future also observed RedNovember targeting Microsoft Outlook Web Access portals belonging to a South American country before a state visit to China. The group’s diverse targeting across countries and sectors underscores its broad intelligence requirements.
For more information on RedNovember’s activities and impact, you can read the full report here.