Redhotel

Threat Actor updated 23 days ago (2024-11-29T14:42:23.318Z)
Download STIX
Preview STIX
RedHotel is a prolific threat actor group, known for its espionage activities targeting organizations of interest to the Chinese government. The group has been active since at least 2019 and operates alongside other threat groups such as RedAlpha and Poison Carp. Researchers at Recorded Future have linked RedHotel to iSoon, a private contractor with ties to Chinese state hacking groups, through analysis of leaked iSoon data. This link signifies a sophisticated network of espionage operations, including the theft of telecommunications data for tracking individuals. The iSoon leak has garnered widespread media attention, leading to observable changes in the infrastructure developed by RedAlpha and RedHotel, according to Kelly from Information Security Media Group. Furthermore, the group appeared in 2,157 other domains, suggesting potential ties to RedHotel. Since the leak, Insikt Group has identified newly observed domain and infrastructure developments from iSoon-linked groups like RedAlpha and RedHotel, indicating the groups' adaptability and resilience in response to exposure. Victim organizations referenced in the iSoon leak showed significant overlap with historically identified RedHotel victims, including Nepal Telecom, the Ministry of Economy and Finance of Cambodia, and Thai government departments, among others. To mitigate the risk posed by RedHotel, Insikt recommends configuring intrusion detection systems, intrusion prevention systems, or other network defense mechanisms to alert for the external IP addresses and domains likely controlled by RedHotel. These should be followed by a review and necessary blocking if applicable. The use of complex malware like KTLVdoor, more intricate than tools typically used by China-backed cyber-espionage actors like Earth Lusca (aka RedHotel or TAG-22), further underscores the advanced capabilities of this threat actor.
Description last updated: 2024-09-05T21:15:43.239Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Bronze University is a possible alias for Redhotel. Bronze University, also known as Aquatic Panda, ControlX, RedHotel, and Earth Lusca, is a threat actor group believed to be a Chinese state-sponsored hacking operation. The group has been active since 2021, targeting government, aerospace, education, telecommunications, media, and research organizat
2
Redalpha is a possible alias for Redhotel. RedAlpha, also known as DeepCliff, is an advanced persistent threat (APT) group that has been linked to Chinese state-sponsored cyber espionage activities. The group is known for its spyware campaigns against Tibetan minorities and has been identified in association with other threat groups such as
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Espionage
Malware
Chinese
Exploit
Cobalt Strike
Domains
Government
State Sponso...
Reconnaissance
Windows
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The ShadowPad Malware is associated with Redhotel. ShadowPad is a sophisticated malware, known for its use in supply chain attacks, particularly against government entities in South Asia. This modular backdoor, which has been active for approximately seven years, is popular among Chinese threat actors. It was notably used as the payload in an attackUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Winnti Threat Actor is associated with Redhotel. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such Unspecified
2