Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain
Tags
cmtmf-attack-pattern: Acquire Infrastructure Boot Or Logon Autostart Execution Command And Scripting Interpreter Geofencing Masquerading
country: Australia Bolivia Brazil Malaysia Cambodia China Ethiopia Hong Kong India Indonesia Japan Mongolia Myanmar Vietnam Taiwan Ukraine United States Of America U.S. Virgin Islands
maec-delivery-vectors: Watering Hole
attack-pattern: Acquire Infrastructure Data Acquire Infrastructure - T1583 Boot Or Logon Autostart Execution - T1547 Command And Scripting Interpreter - T1623 Dll Search Order Hijacking - T1574.001 Domains - T1583.001 Domains - T1584.001 Double File Extension - T1036.007 Encrypted Channel - T1521 Encrypted Channel - T1573 Execution Guardrails - T1480 Execution Guardrails - T1627 Geofencing - T1627.001 Geofencing - T1581 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Ip Addresses - T1590.005 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 Mmc - T1218.014 System Information Discovery - T1426 Msiexec - T1218.007 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Registry Run Keys / Startup Folder - T1547.001 Software - T1592.002 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Spearphishing Link - T1566.002 Spearphishing Link - T1598.003 Standard Encoding - T1132.001 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 Web Protocols - T1071.001 Web Service - T1481 Virtual Private Server - T1583.003 Virtual Private Server - T1584.003 Command-Line Interface - T1059 Connection Proxy - T1090 Data Encoding - T1132 Deobfuscate/Decode Files Or Information - T1140 Dll Search Order Hijacking - T1038 Masquerading - T1036 Powershell - T1086 Registry Run Keys / Start Folder - T1060 Signed Binary Proxy Execution - T1218 Spearphishing Attachment - T1193 Spearphishing Link - T1192 System Information Discovery - T1082 Web Service - T1102 User Execution - T1204 Masquerading Spearphishing Attachment User Execution
Common Information
Type Value
UUID c07143ad-fcc8-4830-a9a1-c742879dd71c
Fingerprint 259fbbd36e2787bc
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 9, 2025, midnight
Added to db Jan. 9, 2025, 4:19 p.m.
Last updated Jan. 19, 2025, 3:26 a.m.
Headline RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
Title Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain
Detected Hints/Tags/Attributes 131/4/319
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 359 Recorded Future https://www.recordedfuture.com/feed 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 6
abecopiers.com
Details Domain 6
alicevivianny.com
Details Domain 6
aljazddra.com
Details Domain 6
alphadawgrecords.com
Details Domain 6
alvinclayman.com
Details Domain 6
antioxidantsnews.com
Details Domain 6
armzrace.com
Details Domain 6
artbykathrynmorin.com
Details Domain 6
atasensors.com
Details Domain 6
bkller.com
Details Domain 6
bonuscuk.com
Details Domain 6
bramjtop.com
Details Domain 7
buyinginfo.org
Details Domain 6
calgarycarfinancing.com
Details Domain 6
comparetextbook.com
Details Domain 6
conflictaslesson.com
Details Domain 7
councilofwizards.com
Details Domain 6
crappienews.com
Details Domain 6
createcopilot.com
Details Domain 6
cuanhuaanbinh.com
Details Domain 6
dmfarmnews.com
Details Domain 7
electrictulsa.com
Details Domain 6
elevateecom.com
Details Domain 6
epsross.com
Details Domain 6
erpdown.com
Details Domain 7
estmongolia.com
Details Domain 6
financialextremed.com
Details Domain 6
finasterideanswers.com
Details Domain 6
flaworkcomp.com
Details Domain 6
flfprlkgpppg.shop
Details Domain 7
getfiledown.com
Details Domain 6
getupdates.net
Details Domain 6
glassdoog.org
Details Domain 6
globaleyenews.com
Details Domain 6
goclamdep.net
Details Domain 6
goodrapp.com
Details Domain 6
gulfesolutions.com
Details Domain 6
hajjnewsbd.com
Details Domain 6
hisnhershealthynhappy.com
Details Domain 6
homeimageidea.com
Details Domain 6
howtotopics.com
Details Domain 6
importsmall.com
Details Domain 6
indiinfo.com
Details Domain 6
infotechtelecom.com
Details Domain 6
inhller.com
Details Domain 6
instalaymantiene.com
Details Domain 6
iplanforamerica.com
Details Domain 6
irprofiles.com
Details Domain 6
itduniversity.com
Details Domain 8
ivibers.com
Details Domain 6
jorzineonline.com
Details Domain 6
kelownahomerenovations.com
Details Domain 7
kentscaffolders.com
Details Domain 6
kerrvillehomeschoolers.com
Details Domain 6
kxmmcdmnb.online
Details Domain 6
lebohdc.com
Details Domain 6
linkonmarketing.com
Details Domain 7
loginge.com
Details Domain 6
lokjopppkuimlpo.shop
Details Domain 6
londonisthereason.com
Details Domain 6
looksnews.com
Details Domain 6
maineasce.com
Details Domain 7
meetviberapi.com
Details Domain 6
mexicoglobaluniversity.com
Details Domain 6
mobilefiledownload.com
Details Domain 6
mojhaloton.com
Details Domain 6
mongolianshipregistrar.com
Details Domain 6
mrytlebeachinfo.com
Details Domain 6
myynzl.com
Details Domain 6
newslandtoday.net
Details Domain 6
normalverkehr.com
Details Domain 6
nymsportsmen.com
Details Domain 6
oncalltechnical.com
Details Domain 6
onmnews.com
Details Domain 6
pgfabrics.com
Details Domain 6
pinaylizzie.com
Details Domain 7
profilepimpz.com
Details Domain 6
quickoffice360.com
Details Domain 6
redactnews.com
Details Domain 6
reformporta.com
Details Domain 6
richwoodgrill.com
Details Domain 6
riversidebreakingnews.com
Details Domain 6
rpcgenetics.com
Details Domain 6
sangkayrealnews.com
Details Domain 6
shreyaninfotech.com
Details Domain 7
smldatacenter.com
Details Domain 6
spencerinfo.net
Details Domain 6
starlightstar.com
Details Domain 6
tasensors.com
Details Domain 6
techoilproducts.com
Details Domain 7
thelocaltribe.com
Details Domain 6
tigermm.com
Details Domain 6
tigernewsmedia.com
Details Domain 6
tophooks.org
Details Domain 6
truckingaccidentattorneyblog.com
Details Domain 6
truff-evadee.com
Details Domain 6
tychonews.com
Details Domain 6
unixhonpo.com
Details Domain 6
usedownload.com
Details Domain 6
vanessalove.com
Details Domain 6
versaillesinfo.com
Details Domain 6
vopaklatinamerica.com
Details Domain 6
windowsfiledownload.com
Details Domain 6
xxmodkiufnsw.shop
Details Domain 6
365officemail.com
Details Domain 6
7gzi.com
Details Domain 6
lifeyomi.com
Details Domain 6
cdn7s65.z13.web.core.windows.net
Details Domain 6
edupro4.z13.web.core.windows.net
Details Domain 7
vabercoach.com
Details File 5
final.docx
Details File 3
adobe-setup.msi
Details File 14
hid.dll
Details File 48
msi.dll
Details File 10
formdll.dll
Details File 5
notelogger.dat
Details File 3
inkformdb.dat
Details File 3
ldevice.dat
Details File 3
officeime.dat
Details File 10
onenotem.exe
Details File 3
inkform.exe
Details File 3
excelrepairtoolboxlauncher.exe
Details File 4
ldevicedetectionhelper.exe
Details File 5
imecmnt.exe
Details File 3
c:\users\admin\appdata\roaming\virtualfile\inkform.exe
Details File 3
c:\users\admin\appdata\roaming\virtualfile\formdll.dll
Details File 3
c:\users\public\intelnet\formdll.dll
Details File 3
c:\users\public\intelnet\inkform.exe
Details File 3
c:\users\public\securityscan\formdll.dll
Details File 3
c:\users\public\securityscan\inkform.exe
Details File 3
c:\programdata\intelnet\formdll.dll
Details File 3
c:\programdata\intelnet\inkform.exe
Details File 3
c:\users\admin\samsungdriver\inkform.exe
Details File 3
c:\users\admin\samsungdriver\formdll.dll
Details File 3
c:\users\admin\appdata\local\apgfrwbjwqd\ldevicedetectionhelper.exe
Details sha256 6
a0a3eeb6973f12fe61e6e90fe5fe8e406a8e00b31b1511a0dfe9a88109d0d129
Details sha256 5
2232cd249be265d092ea923452f82aae28f965b48897fe6f05a7cd4495fcd96e
Details sha256 5
aaad74fbf1b3f499aa2be9f5a86f0d6427c2d807c27532090671295a2b5d67e0
Details sha256 5
6e37ad572f1e7d228c8c0c7cb1ef2d966d16d681669587cfb80e063106d77a6e
Details sha256 5
6ac4b0fd81e317615e0935e83874ef997b7bff3aff2f391405a2e22161f4fd45
Details sha256 5
dd2d8fb565b18065bde545da16f67f31036b4d45dec5b82caa74e30a617e85e8
Details sha256 5
945f7ca6ce890f6cd1813b0ed1912ef25ed4a5f11da0fe97c20fe443bd4489a1
Details sha256 5
042045687882ec8dc2d61e26e86e56620c4a1e694b46f9ce814b060cb0cf4bb5
Details sha256 5
5479927c78faed415853c3ba3798dfff93d4047a17c3c4d87f7dc1ce8289395c
Details sha256 5
d8981d4cbca9b99828a9459e4abfbbe20a221bfc59fc0f2a6d6a751c363b26c4
Details sha256 5
c6bd2c31ebaa8d51964c49a22bc796aa506e594d6f1b1043b01d0baf58836172
Details sha256 5
df3e5c62fa7086eec23c04cb52a17d64aa0b4f252551c8a65c599291a7cee61f
Details sha256 5
2c791775e66a77fe72aa826823f554bfe9a41525c6c1c14798cf56a42925db31
Details sha256 6
74f3101e869cedb3fc6608baa21f91290bb3db41c4260efe86f9aeb7279f18a1
Details sha256 5
1cbf860e99dcd2594a9de3c616ee86c894d85145bc42e55f4fed3a31ef7c2292
Details sha256 5
54549745868b27f5e533a99b3c10f29bc5504d01bd0792568f2ad1569625b1fd
Details sha256 5
8c9e1f17e82369d857e5bf3c41f0609b1e75fd5a4080634bc8ae7291ebe2186c
Details sha256 5
d0c4eb52ea0041cab5d9e1aea17e0fe8a588879a03415f609b195cfbd69caafc
Details sha256 5
ca0dfda9a329f5729b3ca07c6578b3b6560e7cfaeff8d988d1fe8c9ca6896da5
Details sha256 5
6784b646378c650a86ba4fdd4baaaf608e5ecdf171c71bb7720f83965cc8c96f
Details sha256 5
00619a5312d6957248bac777c44c0e9dd871950c6785830695c51184217a1437
Details sha256 5
eae187a91f97838dbb327b684d6a954beee49f522a829a1b51c1621218039040
Details sha256 5
c1f27bed733c5bcf76d2e37e1f905d6c4e7abaeb0ea8975fca2d300c19c5e84f
Details sha256 6
397afb74746b2fe01abc63789412b38f44ceb234a278a04b85b2bb5b4e64cc8c
Details sha256 5
49abaa2ba33af3ebde62af1979ed7a4429866f4f708e0d8e9cfffcfa7a279604
Details sha256 5
3e6772aca8bb8e71956349f1ea9fecda5d9b9cfa00f8cdbf846c169ab468a370
Details sha256 5
f0aa5a27ea01362dce9ced3685961d599e1c9203eef171b76c855a3db41f1ec6
Details sha256 5
e81982e40ee5aaed85817343464d621179a311855ca7bcc514d70f47ed5a2c67
Details sha256 5
471e61015ff18349f4bf357447597a54579839336188d98d299b14cff458d132
Details sha256 5
7c741c8bcd19990140f3fa4aa95bb195929c9429fc47f95cf4ab9fad03040f7b
Details sha256 5
1efe366230043521c1f55cc049117a65acd1a29f4470446ad277f57c4f3a2feb
Details sha256 5
7a2994a6b61ee8ac668e41e622edfa7ae7e06b66d80c2a535f5822bc98058c33
Details sha256 6
364f38b48565814b576f482c1e0eb4c8d58effcd033fd45136ee00640a2b5321
Details sha256 5
d4b9f7c167bc69471baf9e18afd924cf9583b12eee0f088c98abfc55efd77617
Details sha256 5
dbe26b8c3a75f2a78e1a47e021e5ed0087dd8433a667ab8238385529239f108e
Details sha256 5
71e462aaca0f2d8c8a685756b070d017c796de6ac22021a79d922f2f182d4fb0
Details sha256 6
2d884fd8cfa585adec7407059064672d06a6f4bdc28cf4893c01262ef15ddb99
Details sha256 6
30fbf917d0a510b8dac3bacb0f4948f9d55bbfb0fa960b07f0af20ba4f18fc19
Details sha256 5
2cd4fb94268ba063b1a5eea7fe87e794fecf46c0f56c2aaa81e8c9052bb4f5f2
Details sha256 5
38b2852a8dfadac620351c7bea674c29cc5aa89d051fb7acfb8d550df00d4403
Details sha256 5
34e915d93b541471a9f7e747303f456732cd48c52e91ef268e32119ea8c433c0
Details sha256 5
507aa944d77806b3f24a3337729b52168808e8d469e5253cbf889cdaabb5254e
Details sha256 5
976ffe00ca06a4e3d2482815c2770086e7283025eeecad0a750001dedaa2d16a
Details sha256 6
c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1
Details sha256 5
c2d259056163788dce3a98562bb3bcba3a57a23854104e58a8d0fe18200d690b
Details sha256 5
62adbe84f0f19e897df4e0573fc048272e0b537d5b34f811162b8526b9afaf32
Details sha256 5
67c23db357588489031700ea8c7dc502a6081d7d1a620c03b82a8f281aa6bde6
Details sha256 5
b6f375d8e75c438d63c8be429ab3b6608f1adcd233c0cc939082a6d7371c09bb
Details sha256 5
a7735182b7f9f2c10af3f8d2d10634c344d984f6e53e7a3787e4d3d756a7a0a0
Details sha256 5
53bafcf064d421341c582d93108e84df2f0e284c2b0a4dc2deb9099aa953bf5a
Details sha256 5
7a16ba2f0d2c4f7779b67e41f8196ddc6652ca7b61607696ed154df83c8d7b9c
Details sha256 5
749d8980d80966480c85c112a10e1be3d391c1f4673977e880fa461edc2cbf18
Details sha256 5
2220a9297876d7ffb5ad8da4d35ed7b2c8746129f66056e81c4f74a6bb224fd7
Details sha256 5
3ced0837225b635f2ed63e4f72f95933d804e089a21eb8022407a74d772bb94f
Details sha256 5
f1f58fda25e2a6dde9cab4faf02f7246d2a8ab2c96b4b055deea4093eee9d0e6
Details sha256 5
77f813a461b4f1f1c765d951f0bf04668d96efea72cb8ecfb594ea2e36153cf8
Details sha256 5
dc155cb86f5240c2c39c851e006e39cb33ed9b52e0633cbcdcc2164a47a93e22
Details sha256 5
5400fda058d7a13c27e9c95453634e4fee9a421023e0d4482f3eacc198caa928
Details sha256 5
367a98647dea14345e258bc01dfb77b46d1a895e91b5d088cf949de34db13f59
Details sha256 5
f1812ca5170af2401d501561d2a3036379752d22111b10f9ac570587364c82aa
Details sha256 5
e1c85c49982339770189f7947b5bfeb926bc3e4e1d1c63655cb0f8cfdc82a647
Details sha256 5
f2b04c3c764c85c0bedb434b55304d26d067662cd47e620e219657a0007c9fe0
Details sha256 5
c25b3a3d7779cb89772454a756ce48ed3744cf233564d309b6f8d19bd8e26fa4
Details sha256 5
1bde2b050117d7f27e55a71b4795476decace1850587a17d6cf6fd3fc030ff1a
Details sha256 5
73451742de056d3d06f7c42904651439198df449115f7adb08601b8104bec6fb
Details sha256 6
651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859
Details sha256 6
f8c1a4c3060bc139d8ac9ad88d2632d40a96a87d58aba7862f35a396a18f42e5
Details sha256 5
288e79407daae7ae9483ef789d035d464cf878a611db453675ba1a2f6beb1a03
Details sha256 5
ee9c935adae0d830cdc0fccd12b19c32be4f15dffcf454a9d807016ce59ff9a9
Details sha256 6
c5aa22163eb302ef72c553015ae78f1efe79e0167acad10047b0b25844087205
Details sha256 5
1a37289c70c78697b85937ae4e1e8a4cebb7972c731aceaef2813e241217f009
Details sha256 6
49c32f39d420b836a2850401c134fece4946f440c535d4813362948c2de3996f
Details sha256 5
83946986b28fd8d04d59bab994cd2dc48e83b9711a8f453d8364c2ad27ea0254
Details sha256 5
ade0b5cfedfa73252ec72deee7eb79e26380e2e50b47efcfe12350c9a255bb66
Details sha256 5
b63f51537957572c43c26fc8e9088361978ee901df4b8e67d48843c4fb7c027b
Details sha256 5
557f04c6ab6f06e11032b25bd3989209de90de898d145b2d3a56e3c9f354d884
Details sha256 5
095855cf6c82ae662cce34294f0969ca8c9df266736105c0297d2913a9237dd1
Details sha256 5
abd5a09ec75ff36df87ece894cab441ef7f021f5bdd8ba55d00b8ed8aac03ab4
Details sha256 5
7b8dbfe66d16ad627d3864bd5d396b98a86c75aa4a3d87067a03221d73a560c1
Details sha256 5
52ba1bd4d40202c24cb896a355f094dbe0dc6e211f5ddd5b59f0c39b99203172
Details sha256 5
b02b2c0a9209f20dab4efbc458160f5a9efdb81b6474ec10bb727295a86d825a
Details sha256 5
7f382a8b19613d078e4b78b677cb7592cab7c17577638e7ecad0a4952c6f4055
Details sha256 5
aafff72a8c4ad7be37b25e3686a28a11f1d29a0acc771cac1974e17c176c5ed1
Details sha256 5
16dd782942b25aa2eb61bc7de36820444b9f55846c815e249a942b52c61be6b5
Details sha256 5
d674025113d350438a11439d56db111881de887fea41b2d168c6c2b8d8c22014
Details sha256 5
ca963057e69914d7e6c40aa7c43b393a1516f6dfdd2abfed12ddaa21fc2cfcce
Details sha256 5
96085a217f0841bae3fe77ecf60785a5cf4051748e90c818cf6160f7fd00b12e
Details sha256 5
bde73773529ec32161fb8a675b50678771bf317a83f3dd8d0c47f54bdc665722
Details sha256 5
94ad60e87518ac2f655be1b0297e0109da3ef0ae733357206e3e87712c5dfba7
Details sha256 6
908ff3a80ef065ab4be1942e0d41583903f6aac02d97df6b4a92a07a633397a8
Details sha256 6
a5cd617434e8d0e8ae25b961830113cba7308c2f1ff274f09247de8ed74cac4f
Details sha256 5
4ac2a633904b0da3ac471776ecbaded91e1f3a5107630fafde76868cace46051
Details sha256 5
75e849cc96c573fdfe0233b4d9a79c17fb4c40f15c0b6c0d847c461a30f1cbe8
Details sha256 5
d188e877066f0932440d4cd8e8e2e856d7b92d40b475b7c0f0c996b34a2847a4
Details sha256 5
37c7bdac64e279dc421de8f8a364db1e9fd1dcca3a6c1d33df890c1da7573e9f
Details sha256 5
6e07e37618f57ac1930865e175d49ef1bf85aa882ffbd30538f55f64d024085b
Details sha256 5
58a73d445f6122c921092001b132460bb6c1601dc93ecfaabe5df2bf0fef84de
Details sha256 5
9afddc7ff0a75975748e5dc7d81eee8cd32be79ca32edfebd151a376563e7d4b
Details sha256 5
9333cc552193cfe9122515e3d7b210de317c297f1c09da5180b3a7f006d94fe4
Details sha256 5
3552708726f50ee949656e66a4a10da304bae088fa1b875bfab9e182b6ec97f7
Details sha256 5
5dae5254493df246c15e52fd246855a5d0a248f36925cecee141348112776275
Details sha256 6
b9836265c6bfa17cd5e0265f32cedb1ced3b98e85990d000dc8e1298d5d25f93
Details sha256 4
87d0abc1c305f7ce8e98dc86712f841dd491dfda1c1fba42a70d97a84c5a9c70
Details sha256 5
d27c5d38c2f3e589105c797b6590116d3ec58ad0d2b998d2ea92af67b07c76b1
Details sha256 5
282fc12e4f36b6e2558f5dd33320385f41e72d3a90d0d3777a31ef1ba40722d6
Details sha256 5
80a7ff01de553cb099452cb9fac5762caf96c0c3cd9c5ad229739da7f2a2ca72
Details sha256 5
0b152012c1deab39c6ed7fe75a27168eaaec43ae025ee74d35c2fee2651b8902
Details sha256 5
0c7ee8667f48c50ea68c9ad02880f0ff141a3279bd000502038a3a187c7d1ede
Details IPv4 6
115.61.168.143
Details IPv4 6
115.61.168.170
Details IPv4 6
115.61.168.229
Details IPv4 6
115.61.169.139
Details IPv4 6
115.61.170.105
Details IPv4 6
115.61.170.70
Details IPv4 6
182.114.108.91
Details IPv4 6
182.114.108.93
Details IPv4 6
182.114.110.11
Details IPv4 6
182.114.110.170
Details IPv4 6
103.79.120.92
Details IPv4 7
45.83.236.105
Details IPv4 6
116.206.178.67
Details IPv4 6
45.133.239.183
Details IPv4 6
116.206.178.68
Details IPv4 6
103.238.225.248
Details IPv4 6
45.133.239.21
Details IPv4 6
103.238.227.183
Details IPv4 6
103.107.104.37
Details IPv4 6
107.148.32.206
Details IPv4 6
167.179.100.144
Details IPv4 6
116.206.178.34
Details IPv4 7
149.104.2.160
Details IPv4 6
207.246.106.38
Details IPv4 6
45.76.132.25
Details IPv4 6
155.138.203.78
Details IPv4 6
144.76.60.136
Details IPv4 6
38.180.75.197
Details IPv4 6
107.155.56.15
Details IPv4 6
107.155.56.87
Details IPv4 7
202.91.36.213
Details IPv4 6
107.155.56.4
Details IPv4 7
149.104.12.64
Details IPv4 6
154.205.136.105
Details IPv4 7
223.26.52.208
Details IPv4 6
45.128.153.73
Details IPv4 6
96.43.101.245
Details IPv4 6
45.135.119.132
Details IPv4 6
161.97.107.93
Details IPv4 7
103.107.105.81
Details IPv4 6
103.107.104.4
Details IPv4 6
103.107.104.57
Details IPv4 6
154.90.47.123
Details IPv4 6
147.78.12.202
Details MITRE ATT&CK Techniques 69
T1583.003
Details MITRE ATT&CK Techniques 94
T1583.001
Details MITRE ATT&CK Techniques 356
T1566.001
Details MITRE ATT&CK Techniques 214
T1566.002
Details MITRE ATT&CK Techniques 418
T1204.002
Details MITRE ATT&CK Techniques 532
T1059.001
Details MITRE ATT&CK Techniques 447
T1547.001
Details MITRE ATT&CK Techniques 80
T1574.001
Details MITRE ATT&CK Techniques 3
T1627.001
Details MITRE ATT&CK Techniques 541
T1140
Details MITRE ATT&CK Techniques 491
T1071.001
Details MITRE ATT&CK Techniques 48
T1218.007
Details MITRE ATT&CK Techniques 204
T1036.005
Details MITRE ATT&CK Techniques 24
T1036.007
Details MITRE ATT&CK Techniques 1075
T1082
Details MITRE ATT&CK Techniques 145
T1573.001
Details MITRE ATT&CK Techniques 114
T1132.001
Details MITRE ATT&CK Techniques 163
T1102
Details Url 7
https://getfiledown.com/utdkt
Details Url 6
https://versaillesinfo.com/brjwcabz
Details Url 6
https://lifeyomi.com/trkziu
Details Url 6
https://lebohdc.com/uleuodmm
Details Url 6
https://cdn7s65.z13.web.core.windows.net
Details Url 6
https://edupro4.z13.web.core.windows.net
Details Url 6
https://elevateecom.com/deqcehfg
Details Url 6
https://vabercoach.com/uenic
Details Url 6
https://artbykathrynmorin.com/lczjnmum
Details Url 3
https://tria.ge/240803-bmgessseme/behavioral1/analog?q=ldevice&image=c:\users\admin\appdata\local\apgfrwbjwqd\ldevicedetectionhelper.exe
Details Yara rule 4
import "pe"

rule APT_CN_RedDelta_Nim_Loader_DEC23 {
	meta:
		author = "JGrosfelt, Insikt Group, Recorded Future"
		date = "2023-12-21"
		description = "Detects RedDelta RC4 Implementation in Nim Loaders"
		version = "1.0"
		RF_THREATACTOR = "RedDelta"
		RF_THREATACTOR_ID = "en_T6N"
	strings:
		$s1 = { 8B 8D E0 FB FF FF 89 F2 32 54 3B 08 0F BE D2 E8 ?? ?? ?? ?? 89 85 E0 FB FF FF 89 F8 83 C0 01 89 C7 0F }
	condition:
		(uint16(0) == 0x5a4d) and $s1
}
Details Yara rule 4
import "pe"

rule APT_CN_RedDelta_Nim_Loader_Aug24 {
	meta:
		author = "MGUT, Insikt Group, Recorded Future"
		date = "2024-09-06"
		description = "Detects RedDelta MSI files used to load PlugX via DLL hijacking"
		version = "1.0"
		hash = "49c32f39d420b836a2850401c134fece4946f440c535d4813362948c2de3996f"
		hash = "c5aa22163eb302ef72c553015ae78f1efe79e0167acad10047b0b25844087205"
		RF_THREATACTOR = "RedDelta"
		RF_THREATACTOR_ID = "en_T6N"
	strings:
		$func = "winimConverterVarObjectToPtrObject"
	condition:
		uint16be(0) == 0x4d5a and filesize < 500KB and pe.number_of_exports == 2 and pe.exports("HidD_GetHidGuid") and pe.exports("NimMain") and $func
}
Details Yara rule 3
rule APT_CN_RedDelta_MSI_Aug24 {
	meta:
		author = "MGUT, Insikt Group, Recorded Future"
		date = "2024-09-06"
		description = "Detects RedDelta MSI files used to load PlugX via DLL hijacking"
		version = "1.0"
		hash = "30fbf917d0a510b8dac3bacb0f4948f9d55bbfb0fa960b07f0af20ba4f18fc19"
		hash = "2d884fd8cfa585adec7407059064672d06a6f4bdc28cf4893c01262ef15ddb99"
		RF_THREATACTOR = "RedDelta"
		RF_THREATACTOR_ID = "en_T6N"
	strings:
		$s1 = "TARGETDIR[%LOCALAPPDATA]"
		$s2 = "\\LDeviceDetectionHelper.exe"
		$s3 = "hid.dll"
	condition:
		uint32be(0) == 0xd0cf11e0 and all of them
}
Details Yara rule 2
rule APT_CN_RedDelta_LNK_Oct23 {
	meta:
		author = "Mkelly, Insikt Group, Recorded Future"
		date = "2023-10-13"
		description = "Detects RedDelta LNK files used to retrieve and install .msi files via Powershell"
		version = "1.0"
		hash = "a0a3eeb6973f12fe61e6e90fe5fe8e406a8e00b31b1511a0dfe9a88109d0d129"
		hash = "74f3101e869cedb3fc6608baa21f91290bb3db41c4260efe86f9aeb7279f18a1"
		RF_THREATACTOR = "RedDelta"
		RF_THREATACTOR_ID = "en_T6N"
	strings:
		$s1 = "install.InstallProduct" wide
		$s2 = "install=New-Object" wide
		$s3 = "install.uilevel = 2" wide
		$s4 = "REMOVE=ALL" wide
	condition:
		uint16(0) == 0x004c and filesize < 5MB and 3 of them
}