RedNovember

RedNovember is a threat actor also tracked as Storm-2077 and TAG-100. Recorded Future assesses it is highly likely a Chinese state-sponsored threat activity group, and multiple cited sources describe it as a Chinese state or nation-state espionage actor active since at least January 2024 or mid-2024. The group has conducted cyberespionage against high-profile government and private-sector organizations globally, with reported targeting across the U.S., Panama, Taiwan, South Korea, Europe, Southeast Asia, Africa, Oceania, and the broader Americas and Asia. Reported victim sectors include government, diplomatic entities, defense, aerospace, space, telecommunications, aviation, financial and legal services, manufacturing, technology, oil and gas, and research organizations. RedNovember is reported to focus heavily on initial access through internet-facing edge and perimeter systems. Observed or reported targets include Cisco ASA, F5 BIG-IP, Palo Alto Networks devices including GlobalProtect, Fortinet FortiGate, Sophos SSL VPN, SonicWall, Ivanti Connect Secure, Check Point VPN gateways, Outlook Web Access, Zimbra, and 3CX. Multiple reports state the actor rapidly exploits newly disclosed vulnerabilities and public proof-of-concept exploit code, especially against edge devices, rather than being primarily associated with zero-day use. Its tooling and post-compromise tradecraft rely heavily on commodity and open-source capabilities. Reported tools include the Go-based backdoor or C2 framework Pantegana, Cobalt Strike, SparkRAT, and a Go-based loader called LESLIELOADER or Leslieloader used to deploy SparkRAT. Reported malware capabilities include file transfer, system fingerprinting, and interactive command execution across Windows, Linux, and macOS. Microsoft also reported phishing for credential theft, likely exploitation of edge-facing devices for initial access, and techniques focused on email data theft, including abuse of cloud applications such as eDiscovery and creation of malicious applications with mail-read permissions. Other reporting notes credential harvesting, persistence, reconnaissance, and long-running access to some victims. The group’s operations are repeatedly described as aligning with Chinese strategic and geopolitical interests. Reported activity includes targeting in Taiwan and Panama in proximity to geopolitical and military events of interest to China, reconnaissance against more than 30 Panamanian government organizations in April 2025, and activity observed during a December 2024 Chinese military exercise around Taiwan. Recorded Future also reported overlap or shared malware infrastructure with the China-linked cluster UNC5266. No sub-groups are directly identified in the provided content.