Redgolf

Threat Actor updated 7 months ago (2024-05-04T19:19:03.304Z)

Download STIX

Preview STIX

RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of the KEYPLUG backdoor by RedGolf was reported by Mandiant in attacks against various U.S. state government networks from May 2021 to February 2022. The group's activities were further confirmed by Recorded Future in March 2023, highlighting the group's persistent threat to cybersecurity. The RedGolf operations involve the use of GhostWolf infrastructure, which includes 42 IP addresses for KEYPLUG command-and-control. They also utilize PlugX and Cobalt Strike, tools commonly used amongst many Chinese state-sponsored threat groups. The employment of these tools is expected to continue given their feature set, ready availability, and the ability to obfuscate responsibility due to the number of other threat actors using these techniques. The group's Tactics, Techniques, and Procedures (TTPs) show significant overlaps with those of APT41 and BARIUM. In addition to KEYPLUG, RedGolf has been identified using Cobalt Strike, PlugX, and Dynamic DNS (DDNS) domains. The Insikt Group has identified a broader cluster of KEYPLUG samples and operational infrastructure used by RedGolf from at least 2021 to 2023. Public reporting confirms that RedGolf used a Linux version of the custom modular backdoor KEYPLUG to target US state government entities during 2021 and 2022. The group is likely to continue its cyberattacks using KEYPLUG malware and its derivatives via a range of hosting providers.

Description last updated: 2024-05-04T18:54:48.048Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT41 is a possible alias for Redgolf. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi	2
Barium is a possible alias for Redgolf. Barium, also known as BRONZE ATLAS or APT41, is a threat actor that has been associated with various malicious activities. Originating from China and active since at least 2007, this group has been implicated in cyberespionage efforts targeting multiple sectors across the globe. In 2017, according t	2
KEYPLUG is a possible alias for Redgolf. KeyPlug is a sophisticated malware developed by APT41, also known as the Chinese RedGolf Group. It's written in C++ and supports multiple network protocols for command and control (C2) traffic, including HTTP, TCP, KCP over UDP, and WSS. The malware was primarily used to target Windows systems, spec	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Windows

Linux

Cobalt Strike

State Sponso...

Backdoor

Chinese

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The PlugX Malware is associated with Redgolf. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	Unspecified	2

Source Document References

Information about the Redgolf Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Researchers Unmask Sandman APT's Hidden Link to China-Based KEYPLUG Backdoor
CERT-EU	2 years ago	NATO countries targeted by Winter Vivern via Zimbra vulnerability
CERT-EU	2 years ago	Links 31/03/2023: Mozilla Turns 25 and OpenMandriva 23.03
Recorded Future	2 years ago	With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets \| Recorded Future
CERT-EU	2 years ago	Chinese Hackers Using KEYPLUG Backdoor to Attack Windows & Linux Systems
CERT-EU	2 years ago	Chinese Hackers Using KEYPLUG Backdoor to Attack Windows & Linux Systems \| IT Security News
CERT-EU	2 years ago	Windows, Linux systems subjected to Chinese state-backed cyberattacks