Get started
Preemptive Detection of RedDelta’s PlugX Campaign Across Asia

Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain

Preemptive Detection of RedDelta’s PlugX Campaign Across Asia
Introduction

Between July 2023 and December 2024, the Chinese state–sponsored group RedDelta targeted government and industry across Mongolia, Taiwan, Myanmar, Vietnam and Cambodia with a customized PlugX backdoor. By leveraging localized lure documents—from tax-inspection themes to flood-protection briefs—RedDelta tailored its spearphishing chains to each region. Cypex AIM’s early risk scoring enabled detection of core C2 infrastructure months before public blocklists, giving defenders a vital head start.

Get the full report

Campaign Overview

  • Infection Chain

    RedDelta distributed PlugX via malicious Office documents

  • Notable Compromises - Aug 2024

    Likely compromise of the Mongolian Ministry of Defense

  • Nov 2024

    Likely compromise of the Communist Party of Vietnam

  • Failed Attempts

    Spearphishing against Vietnam’s Ministry of Public Security showed no confirmed compromises.

  • Broader Targeting (Sep–Dec 2024):

    Malaysia, Japan, the United States, Ethiopia, Brazil, Australia and India saw similar phishing attempts, indicating campaign expansion.

Cypex AIM Findings

Primary C2 IP: 154.90.47[.]123

  • High-Risk Tag:
    Cypex marked this IP as high risk on August 2, 2024—more than four months before it appeared in any public blocklist.
  • Dedicated Server:
    Behavioral and hosting fingerprinting revealed it ran exclusively as an attacker-controlled node.
  • Blocklist Publication:
    Public feeds only listed 154.90.47[.]123 on December 10, 2024, underscoring a four-month detection lead by Cypex AIM.

The Value of Preemptive Risk Scoring

  • Extended Lead Time

    Early high-risk tagging shrinks the window of exposure, letting defenders block or monitor C2 infrastructure well before mainstream lists react.

  • False-Positive Reduction

    By combining passive human-behavior telemetry with active scanning, Cypex minimizes noise—only genuinely hostile servers trigger alerts.

  • Proactive Hunt Guidance

    Analysts receive targeted IOC updates and related asset lists, enabling threat hunts that outpace attackers’ next move.

  • Automated Playbook Triggers

    Pre-written containment and remediation steps deploy immediately upon detection, reducing manual triage.

  • Strategic Prioritization

    Organizations can focus on the riskiest assets first, rather than chasing every new domain or IP in the wild.

image
Additional IOC Discovery

Previously Unreported IOC

  • IOC Identified: Cypex AIM correlated telemetry and found a previously unreported IOC: 3.0.217[.]162.
  • RedDelta Campaign Link: Although it wasn’t mentioned in Recorded Future’s report, Cypex observed the IP address as being connected to the RedDelta campaign.
Conclusion

RedDelta’s PlugX operation illustrates how nation-state attackers craft region-specific lures and rotate infrastructure to evade detection. Cypex AIM’s early, high-confidence risk scoring of 154.90.47[.]123 – and uncovering of 3.0.217[.]162 – provided defenders a clear advantage, highlighting the critical role of preemptive infrastructure monitoring in modern SOC operations.

Curious to learn more?
Submit your request, and we'll gladly provide you with a personalized product presentation
Thank you for your request
Thank you for your request.
We've received your request, we will contact you soon.