Redhotel

Threat Actor updated 2 months ago (2024-09-05T21:17:44.040Z)

Download STIX

Preview STIX

RedHotel is a prolific threat actor group, known for its espionage activities targeting organizations of interest to the Chinese government. The group has been active since at least 2019 and operates alongside other threat groups such as RedAlpha and Poison Carp. Researchers at Recorded Future have linked RedHotel to iSoon, a private contractor with ties to Chinese state hacking groups, through analysis of leaked iSoon data. This link signifies a sophisticated network of espionage operations, including the theft of telecommunications data for tracking individuals. The iSoon leak has garnered widespread media attention, leading to observable changes in the infrastructure developed by RedAlpha and RedHotel, according to Kelly from Information Security Media Group. Furthermore, the group appeared in 2,157 other domains, suggesting potential ties to RedHotel. Since the leak, Insikt Group has identified newly observed domain and infrastructure developments from iSoon-linked groups like RedAlpha and RedHotel, indicating the groups' adaptability and resilience in response to exposure. Victim organizations referenced in the iSoon leak showed significant overlap with historically identified RedHotel victims, including Nepal Telecom, the Ministry of Economy and Finance of Cambodia, and Thai government departments, among others. To mitigate the risk posed by RedHotel, Insikt recommends configuring intrusion detection systems, intrusion prevention systems, or other network defense mechanisms to alert for the external IP addresses and domains likely controlled by RedHotel. These should be followed by a review and necessary blocking if applicable. The use of complex malware like KTLVdoor, more intricate than tools typically used by China-backed cyber-espionage actors like Earth Lusca (aka RedHotel or TAG-22), further underscores the advanced capabilities of this threat actor.

Description last updated: 2024-09-05T21:15:43.239Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Bronze University is a possible alias for Redhotel. Bronze University, also known as Aquatic Panda, ControlX, RedHotel, and Earth Lusca, is a threat actor group believed to be a Chinese state-sponsored hacking operation. The group has been active since 2021, targeting government, aerospace, education, telecommunications, media, and research organizat	2
Redalpha is a possible alias for Redhotel. RedAlpha, also known as DeepCliff, is an advanced persistent threat (APT) group that has been linked to Chinese state-sponsored cyber espionage activities. The group is known for its spyware campaigns against Tibetan minorities and has been identified in association with other threat groups such as	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Espionage

Malware

Chinese

Exploit

Cobalt Strike

Domains

Government

State Sponso...

Reconnaissance

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The ShadowPad Malware is associated with Redhotel. ShadowPad is a malicious software (malware) that has been in use since at least 2017, particularly among Chinese threat actors. This modular backdoor malware is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data for ransom. It typ	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Winnti Threat Actor is associated with Redhotel. Winnti, a notorious threat actor group, has been linked to several sophisticated cyber-espionage activities. First identified by Kaspersky in 2013, it is believed that the group has been active since at least 2007, primarily targeting software supply chains to spread malware. Winnti is part of the A	Unspecified	2

Source Document References

Information about the Redhotel Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	China's 'Earth Lusca' Propagates Multiplatform Backdoor
Recorded Future	4 months ago	Attributing I-SOON: Private Contractor Linked to Multiple Chinese State-sponsored Groups
BankInfoSecurity	7 months ago	iSoon Leak Shows Links to Chinese APT Groups
Recorded Future	7 months ago	Attributing I-SOON: Private Contractor Linked to Multiple Chinese State-sponsored Groups
BankInfoSecurity	8 months ago	OpenAI and Microsoft Terminate State-Backed Hacker Accounts
CERT-EU	a year ago	Semiconductor firms targeted by Chinese hackers
CERT-EU	a year ago	China-linked cyberspies backdoor semiconductor firms with Cobalt Strike
CERT-EU	a year ago	China-Linked Hackers Strike Worldwide: 17 Nations Hit in 3-Year Cyber Campaign – GIXtools
CERT-EU	a year ago	RedHotel Attack Infrastructure: A DNS Deep Dive
CERT-EU	a year ago	Global hacking campaign launched by Chinese hacking operation
DARKReading	a year ago	RedHotel Checks in as Dominant China-Backed Cyberspy Group
CERT-EU	a year ago	RedHotel Chinese APT Hackers Attack Government Entities & Intelligence Organizations
Recorded Future	a year ago	RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale \| Recorded Future