Redgolf

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of the KEYPLUG backdoor by RedGolf was reported by Mandiant in attacks against various U.S. state government networks from May 2021 to February 2022. The group's activities were further confirmed by Recorded Future in March 2023, highlighting the group's persistent threat to cybersecurity. The RedGolf operations involve the use of GhostWolf infrastructure, which includes 42 IP addresses for KEYPLUG command-and-control. They also utilize PlugX and Cobalt Strike, tools commonly used amongst many Chinese state-sponsored threat groups. The employment of these tools is expected to continue given their feature set, ready availability, and the ability to obfuscate responsibility due to the number of other threat actors using these techniques. The group's Tactics, Techniques, and Procedures (TTPs) show significant overlaps with those of APT41 and BARIUM. In addition to KEYPLUG, RedGolf has been identified using Cobalt Strike, PlugX, and Dynamic DNS (DDNS) domains. The Insikt Group has identified a broader cluster of KEYPLUG samples and operational infrastructure used by RedGolf from at least 2021 to 2023. Public reporting confirms that RedGolf used a Linux version of the custom modular backdoor KEYPLUG to target US state government entities during 2021 and 2022. The group is likely to continue its cyberattacks using KEYPLUG malware and its derivatives via a range of hosting providers.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Barium
2
Barium, also known as BRONZE ATLAS and part of the APT41 collective, is a China-linked cyberespionage group that has been active since at least 2007. It is associated with several other subgroups, including Wicked Panda, Winnti, Suckfly, and Blackfly. This threat actor has been responsible for vario
KEYPLUG
2
KeyPlug is a modular backdoor malware, written in C++, that has been used extensively by the APT41 group to target systems globally. Notably, between June and December 2021, it was heavily deployed against state government victims, exploiting Windows systems with significant effect. KeyPlug supports
APT41
2
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Wicked Panda
1
Wicked Panda, also known as APT41, Double Dragon, and Bronze Atlas, is a state-sponsored threat actor originating from China. Recognized as one of the top cyber threats by the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, this group has been associated wit
Winnti
1
Winnti is a sophisticated threat actor group, first identified by Kaspersky in 2013, with activities dating back to at least 2007. The group has been associated with the Chinese nation-state and is part of a collective known as APT41, which also includes subgroups like Wicked Panda, Suckfly, and Bar
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Chinese
Cobalt Strike
Linux
State Sponso...
Backdoor
Windows
Zero Day
Exploit
exploited
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PlugXUnspecified
2
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Redgolf Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
7 months ago
Researchers Unmask Sandman APT's Hidden Link to China-Based KEYPLUG Backdoor
CERT-EU
a year ago
NATO countries targeted by Winter Vivern via Zimbra vulnerability
CERT-EU
a year ago
Links 31/03/2023: Mozilla Turns 25 and OpenMandriva 23.03
Recorded Future
a year ago
With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets | Recorded Future
CERT-EU
a year ago
Chinese Hackers Using KEYPLUG Backdoor to Attack Windows & Linux Systems
CERT-EU
a year ago
Chinese Hackers Using KEYPLUG Backdoor to Attack Windows & Linux Systems | IT Security News
CERT-EU
a year ago
Windows, Linux systems subjected to Chinese state-backed cyberattacks