RedDelta

Threat Actor updated 5 months ago (2024-05-04T20:51:11.461Z)

Download STIX

Preview STIX

RedDelta, also known as Bronze President, is a threat actor that has been conducting cyber-espionage attacks since 2014. It is one of the likely Ministry of State Security (MSS)-linked groups which include APT10, APT17, APT27, APT40, APT41, TAG-22, and RedBravo among others. The organization's activities show overlaps with other Chinese Advanced Persistent Threat (APT) actors like Earth Preta and Camaro Dragon, suggesting shared tactics, techniques, or infrastructure. The SmugX campaign, active since at least December 2022, shows significant overlap with previously reported activity by RedDelta and another Chinese APT group, Mustang Panda. Despite these correlations, there is insufficient evidence to definitively link the SmugX campaign to either group. The victimology and lure tactics employed in the SmugX campaign are highly correlated to those described in reports about RedDelta and Mustang Panda, further indicating possible connections. Researchers have found several similarities between the infrastructure used in the SmugX campaign and previous campaigns attributed to RedDelta and Mustang Panda, including similarities involving certificates and IP addresses. However, absolute links concerning this campaign, tracked as SmugX, to previous campaigns attributed to RedDelta and Mustang Panda could not be proven. This highlights the complex and often obfuscated nature of attributing cyber-espionage activities to specific threat actors.

Description last updated: 2024-05-04T16:40:40.271Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Mustang Panda is a possible alias for RedDelta. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modif	5
Camaro Dragon is a possible alias for RedDelta. Camaro Dragon, a Chinese state-sponsored threat actor also known as Mustang Panda, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Stately Taurus, has been identified as a significant cybersecurity concern. The group has been active since at least 2012 and is known for its sophisticated	4
BRONZE PRESIDENT is a possible alias for RedDelta. Bronze President, a Chinese-state-sponsored APT group also known as Mustang Panda, has been identified as a significant threat actor in data theft campaigns. The group has deployed a variety of remote access tools, including Cobalt Strike and RCSession, to steal data from targeted organizations. Bro	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Chinese

State Sponso...

Espionage

Html

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The PlugX Malware is associated with RedDelta. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	Unspecified	3

Source Document References

Information about the RedDelta Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Multiple Chinese APTs are attacking European targets, EU cyber agency warns \| #ukscams \| #datingscams \| #european \| #datingscams \| #love \| #relationships \| #scams \| #pof \| #match.com \| #dating \| National Cyber Security Consulting
CERT-EU	a year ago	Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX
Checkpoint	a year ago	10th July – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	European Government Agencies Targeted In SmugX Campaign
CERT-EU	a year ago	Cyber Security Week in Review: July 7, 2023
DARKReading	a year ago	China's Mustang Panda Linked to SmugX Attacks on European Governments
CERT-EU	a year ago	Novel PlugX malware attacks target European diplomats
CERT-EU	a year ago	Hackers Use HTML Smuggling Technique to Attack European Government Entities
CERT-EU	a year ago	Chinese threat actor attacks diplomats across Europe
Securityaffairs	a year ago	SmugX: Chinese APT uses HTML smuggling to target European Ministries and embassies
CERT-EU	a year ago	Chinese Threat Actors Target Europe in SmugX Campaign
Checkpoint	a year ago	Chinese Threat Actors Targeting Europe in SmugX Campaign - Check Point Research
MITRE	2 years ago	TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader \| Proofpoint US
Recorded Future	2 years ago	Fielding Threats: Cyber, Influence, and Physical Threats to the 2022 FIFA World Cup in Qatar \| Recorded Future
Recorded Future	2 years ago	Fielding Threats: Cyber, Influence, and Physical Threats to the 2022 FIFA World Cup in Qatar \| Recorded Future
Recorded Future	2 years ago	RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant \| Recorded Future
Recorded Future	2 years ago	2022 Adversary Infrastructure Report
CERT-EU	2 years ago	Over 200 Organizations Targeted in Chinese Cyberespionage Campaign
Securityaffairs	a year ago	China-linked APT Mustang Panda targets TP-Link routers with a custom firmware implant
CERT-EU	a year ago	New Mustang Panda attacks targeting TP-Link routers