Between July 2023 and December 2024, the Chinese state-sponsored hacker group RedDelta actively targeted Taiwan, Mongolia, and Southeast Asian countries, deploying a modified version of PlugX, a remote access tool.
The attackers employed phishing emails containing lure documents themed around political and cultural events, such as Taiwan’s elections, Vietnam’s National Day, and invitations to meetings, including ASEAN-related events.
In August 2024, RedDelta allegedly compromised the Ministry of Defense in Mongolia, followed by the Communist Party of Vietnam in November. Although attempts were made to breach Vietnam’s Ministry of Public Security, no confirmed intrusions have been reported. From September to December 2024, the group expanded its victim base to include organizations in Malaysia, Japan, the United States, Ethiopia, Brazil, Australia, and India.
RedDelta refined its infiltration tactics over time: in 2023, they leveraged LNK files (standard shortcuts), while in 2024, they transitioned to MSC files (configuration files). In recent months, the group also began using links to HTML files hosted on Microsoft Azure. To obscure their command-and-control servers, the attackers employed Cloudflare’s CDN, complicating detection efforts.
RedDelta’s operations align closely with China’s geopolitical priorities, focusing on diplomatic and government institutions in Southeast Asia, Mongolia, and Taiwan. The group consistently adapts its methods in response to global developments.
Over the years, RedDelta has targeted the Catholic Church ahead of negotiations with the Vatican, Indian law enforcement, and Indonesian government agencies. In 2023, the group revisited historical targets, including Mongolian NGOs, Buddhist activists, and application developers.
The Insikt Group recommends organizations bolster their defenses by implementing YARA and Sigma rules, keeping software up to date, utilizing two-factor authentication, and segmenting networks. It is crucial to block suspicious IP addresses and domains while conducting regular log analyses.
Analysts anticipate that RedDelta will continue evolving its techniques and expanding its attacks on organizations in Asia and beyond, with a particular focus on governmental and religious entities.
