Redhotel

Threat Actor Profile Updated 5 days ago
Download STIX
Preview STIX
RedHotel, also known as Aquatic Panda, ControlX, and Bronze University, is a threat actor linked to Chinese state-sponsored cyber groups. It is part of a sophisticated network of espionage operations including RedAlpha, Poison Carp, and i-SOON, which are primarily involved in the theft of telecommunications data for tracking individuals. This prolific espionage group targets organizations of interest to the Chinese government and has appeared in 2,157 other domains that could potentially be associated with it. The connection between these groups was revealed through an analysis of leaked data from i-SOON by researchers at Recorded Future. The documents linked i-SOON to RedHotel, RedAlpha, and Poison Carp. Notably, victim organizations referenced in the i-SOON leak overlapped with historically identified RedHotel victims, such as Nepal Telecom, the Ministry of Economy and Finance of Cambodia, and Thai government departments, among others. Following the widespread media coverage of the i-SOON leak, changes were observed in the infrastructure developed by RedAlpha and RedHotel. According to Kelly from the Information Security Media Group, new domain and infrastructure developments linked to i-SOON groups RedAlpha and RedHotel have been identified by the Insikt Group since the material was leaked. This suggests that the groups are adapting their strategies in response to the exposure, highlighting the ongoing threat posed by RedHotel and its associated entities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Redalpha
2
RedAlpha, also known as DeepCliff, is an advanced persistent threat (APT) group that has been linked to Chinese state-sponsored cyber espionage activities. The group is known for its spyware campaigns against Tibetan minorities and has been identified in association with other threat groups such as
Bronze University
2
Bronze University, also known as Aquatic Panda, ControlX, RedHotel, and Earth Lusca, is a threat actor group believed to be a Chinese state-sponsored hacking operation. The group has been active since 2021, targeting government, aerospace, education, telecommunications, media, and research organizat
TAG-22
1
Threat Activity Group 22 (TAG-22), also known as RedHotel, is a suspected Chinese state-sponsored threat actor that has been identified by Recorded Future. This group has been actively targeting various sectors including telecommunications, academia, research and development, and government organiza
Charcoal Typhoon
1
Charcoal Typhoon, a China-affiliated threat actor, has been identified as one of the state-backed groups using OpenAI's ChatGPT for malicious purposes. The group is known for focusing on tracking groups in Taiwan, Thailand, Mongolia, Malaysia, France, Nepal, and individuals globally that oppose Chin
APT27
1
APT27, also known as Iron Taurus, is a Chinese threat actor group that primarily engages in cyber operations with the goal of intellectual property theft. The group targets multiple organizations worldwide, including those in North and South America, Europe, and the Middle East. APT27 utilizes vario
Aquatic Panda
1
Aquatic Panda, also known as Budworm, Charcoal Typhoon, ControlX, RedHotel, and Bronze University, is a significant threat actor suspected of state-backed cyber espionage activities. This group has been particularly active in the recent quarter, ranking amongst the top geopolitical groups targeting
Poison Carp
1
Poison Carp, also known as Insomnia, is a threat actor that has been associated with various malicious cyber activities. These activities have particularly targeted Tibetan minorities, highlighting the group's focus on specific sociopolitical issues. This threat actor is part of a larger network of
I-Soon
1
i-SOON, a threat actor believed to be operating out of China, has come into the limelight due to a significant data leak. The leaked documents provide an inside view of i-SOON's operations, revealing its role in executing cyberespionage campaigns on behalf of various Chinese government agencies. Thi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Chinese
Espionage
Malware
Exploit
Reconnaissance
Government
Windows
State Sponso...
Cobalt Strike
Zimbra
Apt
Domains
ISOON
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ShadowPadUnspecified
2
ShadowPad is a modular backdoor malware that has been utilized by several Chinese threat groups since at least 2017. Notably, it was used as the payload in supply chain attacks targeting South Asian governments, as reported in the VB2023 paper. ShadowPad provides near-administrative capabilities in
Brute RatelUnspecified
1
Brute Ratel is a sophisticated malware variant that has been used in a series of cyber attacks targeting diplomatic staff and other sensitive targets. It's delivered through custom loaders embedded in lure documents, which are designed to trick the recipient into triggering the infection process. On
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WinntiUnspecified
2
Winnti, a threat actor or group also known as Starchy Taurus and APT41, has been active since at least 2007, first identified by Kaspersky in 2013. This Chinese state-sponsored entity is renowned for its ability to target supply chains of legitimate software to disseminate malware. The group is link
BlackflyUnspecified
1
Blackfly is a threat actor, tracked by Symantec, that has been involved in cyber-attacks primarily targeting South Korean companies, especially those in the video game and software development industry. The group initiated its activities with a campaign to steal certificates, which were later utiliz
Earth LuscaUnspecified
1
Earth Lusca, a threat actor known for its malicious activities in the cyber world, has recently expanded its arsenal with the addition of a new tool, SprySOCKS Linux malware. This development was reported by Security Affairs in October 2020. Earth Lusca can be an individual, a private company, or pa
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Redhotel Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Recorded Future
5 days ago
Attributing I-SOON: Private Contractor Linked to Multiple Chinese State-sponsored Groups
BankInfoSecurity
4 months ago
iSoon Leak Shows Links to Chinese APT Groups
Recorded Future
4 months ago
Attributing I-SOON: Private Contractor Linked to Multiple Chinese State-sponsored Groups
BankInfoSecurity
5 months ago
OpenAI and Microsoft Terminate State-Backed Hacker Accounts
CERT-EU
9 months ago
Semiconductor firms targeted by Chinese hackers
CERT-EU
9 months ago
China-linked cyberspies backdoor semiconductor firms with Cobalt Strike
CERT-EU
a year ago
China-Linked Hackers Strike Worldwide: 17 Nations Hit in 3-Year Cyber Campaign – GIXtools
CERT-EU
10 months ago
RedHotel Attack Infrastructure: A DNS Deep Dive
CERT-EU
a year ago
Global hacking campaign launched by Chinese hacking operation
DARKReading
a year ago
RedHotel Checks in as Dominant China-Backed Cyberspy Group
CERT-EU
a year ago
RedHotel Chinese APT Hackers Attack Government Entities & Intelligence Organizations
Recorded Future
a year ago
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale | Recorded Future