Overview:
On September 24, 2025, researchers from Recorded Future’s Insikt Group published a report exposing new activity from a Chinese state-sponsored advanced persistent threat (APT) group tracked as RedNovember. Previously identified as TAG-100, the group has continued to evolve its tradecraft and broaden its targeting scope, conducting sophisticated cyber-espionage operations against both government and private sector entities. Recent analysis indicates that RedNovember’s interests now prominently include the defense, aerospace, and space industries, marking a significant escalation in their global operations.
Expanding Scope and Tactical Evolution:
Initially observed in mid-2024 targeting Asia-Pacific intergovernmental bodies, RedNovember leveraged open-source tools and public exploits to gain access to vulnerable networks. Since then, their campaigns have expanded geographically and strategically, targeting entities across the U.S. Defense Industrial Base (DIB) and European space organizations. The group’s methods closely align with other China-nexus APTs, including Salt Typhoon, Volt Typhoon and Silk Typhoon, which are known to exploit perimeter devices and edge infrastructure to maintain persistence and evade detection.
RedNovember has demonstrated consistent interest in exploiting popular edge devices from major vendors such as Cisco, Palo Alto Networks, SonicWall, Fortinet, F5 and Sophos. These technologies have all been impacted by widely publicized vulnerabilities in recent years, many of which were later weaponized by both state and non-state actors. By exploiting these known weaknesses, RedNovember minimizes development costs while maximizing operational impact.
The group’s exploitation of these perimeter technologies also underscores a persistent challenge in enterprise cybersecurity: the lag between public disclosure of vulnerabilities and widespread patch adoption. Their ability to capitalize on these gaps exemplifies how threat actors are effectively combining weaponized proof-of-concept (PoC) exploits with open-source post-exploitation frameworks such as Pantegana, a Go-based backdoor and Cobalt Strike. This approach reduces technical barriers for operators and enables more advanced actors to conceal their involvement by avoiding the use of bespoke malware.
Attack Pattern and Sophistication:
RedNovember’s preference for open-source and commercially available command-and-control (C2) frameworks provides a layer of deniability and complicates attribution. Their operations often blend into the background noise of legitimate red team or penetration testing activity, making detection and source attribution significantly more difficult.
This tradecraft reflects a broader shift among state-sponsored actors toward leveraging publicly available tooling. Such strategies not only obscure attribution but also reduce operational costs, allowing for sustained campaigns against multiple targets. The use of frameworks like Pantegana and Cobalt Strike further suggests an emphasis on operational agility and flexibility across global infrastructures.
Impact to the Space Sector:
RedNovember’s expanding focus on the space domain adds a critical dimension to their evolving threat profile. In April 2025, Insikt Group identified communications between a RedNovember reconnaissance and exploitation server and infrastructure tied to a European space-focused research center. The group also conducted port scanning and reconnaissance activity targeting prominent U.S. aerospace and defense organizations in July 2024, signaling a deliberate effort to map and probe critical assets within this sector.
While no confirmed exploitation resulted from those early probes, subsequent campaigns in early 2025 suggest that RedNovember transitioned from reconnaissance to active compromise attempts, particularly against organizations associated with aerospace engineering, satellite communications, and defense manufacturing.
In March 2025, for instance, Insikt Group observed a RedNovember-controlled IP address interacting with a SonicWall SSL-VPN instance belonging to a U.K.-based manufacturer specializing in bespoke cable harnessing for aerospace and defense applications. This targeting activity reflects a growing emphasis on compromising vendors integral to the aerospace and space supply chain, a recurring theme among APT operations in recent years.
Operational Overlaps and Strategic Continuity:
RedNovember’s campaigns exhibit operational overlaps with several unnamed clusters previously documented by Proofpoint, including UNK_DropPitch, UNK_FistBump, UNK_SparkyCarp and UNK_ColtCentury. These clusters share common targeting patterns, particularly against Taiwan’s semiconductor industry, and demonstrate a unified strategic objective of gathering intelligence across sectors critical to national and technological development.
Recorded Future’s earlier reporting from May 2024 linked TAG-100 (now RedNovember) to cyber-espionage operations against two prominent Asia-Pacific government bodies, providing continuity between the group’s regional focus and its newer campaigns across Europe and North America. These overlaps reinforce the assessment that RedNovember operates as part of a larger ecosystem of cyber-espionage actors, sharing infrastructure, tooling, and objectives across multiple operational clusters.
Conclusion:
RedNovember’s continued evolution underscores a key strategic trend in sophisticated cyber operations: the use of low-cost, high-efficacy methods to pursue broad intelligence-gathering objectives across sectors that underpin national security and technological dominance. By exploiting readily available exploits and tools, RedNovember achieves both scalability and plausible deniability, which are key attributes of a sophisticated threat.
For the space and defense sectors, this campaign serves as another reminder that edge devices and remote access solutions remain prime attack surfaces, particularly as organizations expand hybrid and distributed operations. The group’s consistent focus on these technologies demonstrates not only their tactical value but also their potential as gateways into highly sensitive networks.
