Cyber Threat Actor: RedDelta
| Actor Type | Location | Known Incidents |
Nation State
|
China
|
4 incidents |
|---|
Profile
RedDelta is a threat actor tracked under that alias and also associated with the Mustang Panda designation. Public reporting links the group to China, describing it as a Chinese state‑sponsored cyber‑espionage actor. Its known activity focuses on religious institutions, specifically Catholic organizations in Hong Kong and the Vatican, as well as affiliated bodies such as the Pontifical Institute for Foreign Missions and the Hong Kong Study Mission to China. The stated purpose of these intrusions is to collect intelligence on diplomatic negotiations between China and the Holy See and to monitor the stance of Catholic entities regarding Hong Kong’s pro‑democracy movement. This aligns with a broader strategic objective of espionage rather than financial gain or disruptive effects.
Initial access is typically achieved through spear‑phishing emails that contain weaponized documents or malicious archives masquerading as legitimate files, a technique observed in the May 2020 campaigns. Once opened, the attackers employ DLL‑sideloading to execute rigged executables that deploy customized PlugX remote access trojans, sometimes accompanied by Poison Ivy and Cobalt Strike components. The malware families observed are PlugX, Poison Ivy, and the use of Cobalt Strike for post‑exploitation activities. The group’s tooling style shows a preference for customizing remote access tools and leveraging legitimate‑looking lures to bypass defenses. These tactics were demonstrated in the coordinated intrusions against the Vatican’s networks and its Hong Kong‑based Study Mission, which were publicly reported as operations targeting Catholic entities ahead of sensitive religious‑diplomatic talks. The intrusions aimed to gather intelligence on the Holy See’s negotiating position and monitor relations with Hong Kong’s Catholic Diocese amid pro‑democracy protests. No public reports attribute financial gain or disruptive intent to RedDelta’s activities. The activity has been attributed to Chinese nation‑state actors based on malware characteristics and historical targeting patterns against religious groups. Researchers note the use of compromised accounts and weaponized documents mimicking official communications to facilitate unauthorized network access. Collectively, these details define RedDelta as an actor that relies on spear‑phishing, DLL‑sideloading, and custom remote access tools to spy on religious and diplomatic targets.
