During the period from July 2023 to December 2024, the Chinese state hacker group Reddelta launched a series of active cyber attacks on Taiwan, Mongolia, and several countries in Southeast Asia. The group was known for spreading the modified Plugx software for remote access.
The attackers employed phishing tactics by sending deceptive emails with Primanda documents that were linked to various political and cultural events. These included events such as elections in Taiwan, the National Feast of Vietnam, and invitations to regional meetings and conferences.
In August 2024, Reddelta reportedly compromised the Ministry of Defense in Mongolia, followed by an attack on the Communist Party of Vietnam in November. While attempts were made to breach the Vietnam Ministry of Public Security, there was no evidence of successful hacks. The group also targeted organizations in Malaysia, Japan, the USA, Ethiopia, Brazil, Australia, and India from September to December 2024.
Reddelta updated their tactics over time, transitioning from the use of LNK files in 2023 to MSC files in 2024. Additionally, the hackers started incorporating links to HTML files hosted on Microsoft Azure. To conceal their command servers, they utilized CDN Cloudflare, making it challenging to detect their activities.
The primary focus of Reddelta’s activity was on the geopolitical priorities of China, particularly targeting diplomatic and government entities in Southeast Asia, Mongolia, and Taiwan. The group has demonstrated a capability to adapt its methods in response to global events.
Over the years, Reddelta has targeted a wide range of organizations, including the Catholic Church ahead of negotiations with the Vatican, law enforcement agencies in India, and government institutions in Indonesia. They also returned to historical objectives by targeting Mongolian NGOs, Buddhist activists, and application developers in 2023.
Security experts recommend that organizations enhance their cybersecurity measures by utilizing tools like Yara and Sigma-Ring, updating software regularly, implementing two-factor authentication, and segmenting networks. It is crucial to block suspicious IP addresses and domains while consistently monitoring and analyzing activity logs.
Analysts predict that Reddelta will continue to evolve its tactics and target government and religious structures in Asia and beyond. The group has been identified by Recorded Future as an undesirable organization in Russia.