RedHotel has successfully breached at least 17 organizations the world over since their discovery in 2019.1 Throughout their four or so years of operation, the group has gained renown and a couple of other nicknames, including Aquatic Panda, Bronze University, Charcoal Typhoon, Earth Lusca, and Red Scylla.
Efficient probably describes the advanced persistent threat (APT) group best in that instead of building their own tools, they used readily available ones. Bespoke malware like FunnySwitch, ShadowPad, Spyder, and Winnti in tandem with offensive security solutions Cobalt Strike and Brute Ratel C4 (BRc4) often play a role in their cyber espionage campaigns.
Jumping off an indicator of compromise (IoC) list AlienVault OTX compiled over the course of three years,2 TIP performed a RedHotel DNS deep dive that led to the discovery of:
- Four additional IP addresses five of the domains identified as IoCs resolved to, two of which turned out to be malicious based on malware checks
- 38 additional domains that shared the dedicated IP addresses that played host to some domains identified as IoCs
- 2,157 additional domains that started with the strings sibersystems, nhqdc, ngndc, itcom888, itcom666, cyberoams, caamanitoba, asia-cdn, 0nenote, officesuport, livehost, and liveonlin similar to some of the domains identified as IoCs, one of which was classified as malicious by a bulk malware check
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
-  https://thehackernews.com/2023/08/china-linked-hackers-strike-worldwide.html
-  https://otx.alienvault.com/pulse/64d4226eb632ff3babb5b5cc