RedHotel (TAG-22), a Chinese-state-sponsored threat group, is well-known for its persistence, prominence, operational intensity, and global reach. RedHotel is reported to have acted upon over 17 countries in North America Asia and between 2021 and 2023.
This threat group poses a threat specifically to organizations in Southeast Asia’s government and specified sectors of private companies.
Their operational infrastructure is traced to be linked with China’s Ministry of State Security (MSS) contractor groups. The main focus of RedHotel is intelligence gathering and cyber-espionage.
RedHotel is found to be employing multi-tiered infrastructure with a narrow focus on reconnaissance and long-term network access through command and control servers. These malware C2 servers were found to be administered from Chengdu, China.
In addition to this, the threat group was also involved in the exploitation of Shadowpad and Winnti malware along with other Chinese-state-sponsored actors.
RedHotel uses large quantities of Virtual Private Servers (VPS) as reverse proxies for C2 servers which are configured with ports 80, 443, 8443, and 8080.
Their tooling includes Spyder, Cobalt Strike, ShadowPad, and PlugX. RedHotel also used Brute Ratel, an advanced red team simulation and adversarial tool.
These threat actors were also responsible for the US State legislature compromise in June 2022 which was discovered by the organization’s communication being routed to RedHotel attributed C2 servers ShadowPad and Cobalt Strike.
Furthermore, the threat group was also part of the Zimbra Collaboration Suite exploitation which targeted several government organisations. This attack was linked with several RedHotel subdomains like
A complete report has been published by Recorded Future which mentions their techniques, tactics, and other detailed information about this threat group.
Indicators of Compromise
Cobalt Strike Loaders
Brute Ratel Loaders
Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.