RedHotel Checks in as Dominant China-Backed Cyberspy Group

The APT has been rampaging across three continents on behalf of Chinas Ministry of State Security, and now claims the throne as kings of intelligence gathering and economic espionage.

An advanced persistent threat (APT) is pulling ahead in a crowded field of
China state-sponsored actors
as a dominant cyber espionage threat. The RedHotel group has so far gone after governments across 17 countries on three continents, conducting both intelligence-gathering and economic espionage using a significant infrastructure and toolset to back it all up.
RedHotel (akaTAG-22 or Earth Lusca) has been operating since 2019, but has really ramped up its activity in the last two years, standing out due to its persistence, operational intensity, and global reach, researchers from Recorded Futures Insikt Group revealed
in a report
published this week.
The group has already conducted attacks in 17 countries across Asia, Europe, and North America. Its formidable back-end support structure is comprised of two distinct infrastructure clusters — one largely dedicated to reconnaissance and initial access operations, and a second to maintaining long-term access with targeted networks.
While the group is particularly focused on Southeast Asia, it counts as its victims a US state legislature — which it compromised in 2022 — as well as numerous other targets in the academia, aerospace, government, media, telecommunications, and research sectors. It also has targeted COVID-19 research, Hong Kong pro-democracy activists, religious minority groups, and online gambling companies.
RedHotels identification as a distinct entity has gone largely unnoticed due to its use of previously identified
ShadowPad
and
Winnti
backdoor malware families. Since multiple Chinese threat
groups
— including
Blackfly
— use these tools, RedHotel has blended in, creating challenges in clustering and attribution, the researchers noted.
However, due to RedHotels high operational tempo, distinct infrastructure tactics, techniques, and procedures (TTPs), and wider use of both custom and offensive security tooling, the group has now developed a distinct identity as a dominant China-backed threat in its own right, operating out of Chengdu to support Chinas Ministry of State Security, according to Insikt.
RedHotel is characterized by a couple of key aspects — an expansive two-tiered support infrastructure, and the myriad and diverse ways it attacks victims using both commodity and custom malware.
Insikt documented several observed attacks in its report; in one attack late last year, RedHotel targeted the Vietnamese Institute on State using a stolen code-signing certificate belonging to a Taiwanese gaming company. The cert was used to sign a dynamic-link library DLL that loaded the offensive security tool known as Brute Ratel C4.
In the same campaign, the group used a stolen TLS certificate originally belonging to another Vietnamese government department, the Ministry of Education and Training — one that actors continued to use as late as June 2023.
In other threat activity observed in July 2022, RedHotel was linked to exploitation of the
Zimbra collaboration suite
at government organizations in multiple countries through communication with
ShadowPad
and
Cobalt Strike
C2 IP addresses controlled by the group.
In addition to the Winnti and ShadowPad backdoors, RedHotel also uses FunnySwitch and Spyder backdoors in its campaigns, as well as a customized Cobalt Strike command-and-control (C2) profile that masquerades as the Microsoft Windows Compatibility Troubleshooter service.
On the infrastructure side, RedHotel provisions large quantities of virtual private servers that act as reverse proxies for C2 traffic associated with multiple malware families that the threat group uses. These servers are typically configured to listen on standard HTTP(S) ports and to redirect traffic to upstream actor-controlled servers, which are administered using the open-source VPN software SoftEther.
This infrastructure handles long-term intrusion activity, while a separate, noisier infrastructure cluster is used for initial access operations and reconnaissance, according to Insikt.
The report offered a number of strategies for enterprises to defend themselves against RedHotel attacks, as well as a comprehensive list of indicators of compromise (IoCs) that they recommended organizations use to analyze their networks and traffic.
Other recommendations from Insikt include the configuration of intrusion detection systems, intrusion prevention systems, or any network defense mechanisms to provide alerts for the external IP addresses and domains identified in the report as likely controlled by RedHotel, followed by a review and any necessary blocking if applicable.
Organizations should also take a risk-based approach for
vulnerability patching
, prioritizing high-risk vulnerabilities and those being exploited in the wild. Moreover, they should ensure security monitoring and detection capabilities are in place for all external-facing services and devices, with follow-up monitoring if webshells, backdoors, reverse shells, or lateral movement are detected.
Insikt also advised an overall practice of network segmentation with extra controls set to handle sensitive information, including restricting access and storage to systems only accessible via an internal network.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
RedHotel Checks in as Dominant China-Backed Cyberspy Group