Cybersecurity firm Recorded Future has reported that a Chinese cyberespionage group, known as RedNovember, has compromised at least two U.S. defense contractors along with multiple organizations across the Americas, Europe, Asia, and Africa.

Between July 2024 and July 2025, RedNovember focused on high-profile targets in government, defense, aerospace, and legal sectors worldwide. To gain initial access, the group exploited vulnerabilities in edge devices from vendors including Cisco, F5, Fortinet, Ivanti, Palo Alto Networks, SonicWall, and Sophos, as well as Outlook Web Access (OWA) instances.

Once inside, RedNovember deployed a Go-based backdoor called Pantegana, alongside offensive security tools like Cobalt Strike, SparkRAT, and various open-source tools to support reconnaissance and follow-up operations. The group consistently uses Pantegana as its command-and-control (C2) framework and relies on VPN services, including ExpressVPN and likely Warp VPN, for remote management of its infrastructure.

Over the past year, the group has specifically targeted government and diplomatic organizations, including ministries of foreign affairs in Southeast Asia and South America, a South American OWA portal before a state visit to China, and a Southeast Asian intergovernmental organization with long-term access.

RedNovember also aimed attacks at U.S. aerospace and defense contractors, other global defense organizations, and a European space research center. In April 2025, the group conducted reconnaissance against a U.S. engineering and military contractor, observing communication with two internet-accessible ICS VPN endpoints, though there was insufficient evidence to confirm full compromise. Additionally, RedNovember targeted IP spaces linked to a U.S. Navy-affiliated higher education institution.

The group’s targets extend beyond government and defense to include European manufacturers, global law firms, Taiwanese IT companies, American oil and gas firms, Fijian financial institutions, media outlets, and transportation authorities, as well as South Korean scientific and nuclear research institutions.

RedNovember’s campaigns primarily focus on reconnaissance and the exploitation of newly disclosed vulnerabilities in edge devices, including GlobalProtect firewalls, Ivanti Connect Secure instances, Check Point VPNs, Sophos UTM portals, SonicWall SSL-VPNs, and F5 BIG-IP devices.

Recorded Future warns that RedNovember, alongside other Chinese state-sponsored groups, is expected to continue targeting edge devices and exploiting new vulnerabilities shortly after disclosure, highlighting the ongoing global cyber threat to critical infrastructure and defense organizations.

Source: https://www.securityweek.com/chinese-cyberspies-hacked-us-defense-contractors