RedDelta Targeting Analysis of Southeast Asia

This technical report by Insikt Group details the activities of the Chinese state-sponsored threat group RedDelta from July 2023 to December 2024. The report outlines how RedDelta has primarily targeted Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia using an adapted infection chain to distribute their customized PlugX backdoor. The group has evolved its tactics by utilizing Windows shortcut (LNK) files and Microsoft Management Console Snap-In Control (MSC) files as initial components to execute a PowerShell command that downloads a Windows Installer (MSI) file. This MSI file subsequently drops a malicious dynamic-link library (DLL) and an encrypted payload that ultimately loads PlugX. The report highlights the use of Cloudflare's content delivery network (CDN) to proxy command-and-control (C2) traffic, complicating victim identification. Additionally, it identifies specific incidents of compromise affecting governmental and diplomatic organizations in the targeted regions, illustrating RedDelta's alignment with Chinese strategic priorities.