Threat intelligence API Docs Pricing Solutions Resources Contact us

Threat reports

Read other reports

RedHotel Attack Infrastructure: A DNS Deep Dive

RedHotel has successfully breached at least 17 organizations the world over since their discovery in 2019.1 Throughout their four or so years of operation, the group has gained renown and a couple of other nicknames, including Aquatic Panda, Bronze University, Charcoal Typhoon, Earth Lusca, and Red Scylla.

Efficient probably describes the advanced persistent threat (APT) group best in that instead of building their own tools, they used readily available ones. Bespoke malware like FunnySwitch, ShadowPad, Spyder, and Winnti in tandem with offensive security solutions Cobalt Strike and Brute Ratel C4 (BRc4) often play a role in their cyber espionage campaigns.

Jumping off an indicator of compromise (IoC) list AlienVault OTX compiled over the course of three years,2 TIP performed a RedHotel DNS deep dive that led to the discovery of:

  • Four additional IP addresses five of the domains identified as IoCs resolved to, two of which turned out to be malicious based on malware checks
  • 38 additional domains that shared the dedicated IP addresses that played host to some domains identified as IoCs
  • 2,157 additional domains that started with the strings sibersystems, nhqdc, ngndc, itcom888, itcom666, cyberoams, caamanitoba, asia-cdn, 0nenote, officesuport, livehost, and liveonlin similar to some of the domains identified as IoCs, one of which was classified as malicious by a bulk malware check

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1]
  • [2]
Read other reports
To download the full report in PDF, please fill in the form.
I have read and agree to the Terms of Service and Privacy Policy
Please keep me updated on news, events, and offers.

Try our Threat Intelligence API for free

Get FREE trial
Have questions?

We work hard to improve our services for you. As part of that, we welcome your feedback, questions and suggestions. Please let us know your thoughts and feelings, and any way in which you think we can improve our product.

For a quick response, please select the request type that best suits your needs.

Or shoot us an email to

Threat Intelligence Platform uses cookies to provide you with the best user experience on our website. They also help us understand how our site is being used. Find out more here. By continuing to use our site you consent to the use of cookies.