RedNovember, a Chinese state-sponsored cyberspy group, targeted government and critical private-sector networks around the globe between June 2024 and July 2025, exploiting buggy internet-facing appliances to deploy a Go-based backdoor called Pantegana and other offensive security tools, including Cobalt Strike and SparkRAT.

This information comes via a threat report from Recorded Future’s Insikt Group researchers, who previously tracked the crew as TAG-100, and noted that the Chinese snoops overlap with a group that Microsoft tracks as Storm-2077.

The report also follows a slew of other government-spies-on-the-networks warnings issued this week from government officials and private security firms alike.

RedNovember’s victims span multiple sectors, but primarily center around aerospace and defense, government, and professional services companies. Its most recent campaign includes an April reconnaissance mission focused on two American oil and gas companies.

“Between H2 2024 and H2 2025, RedNovember compromised, targeted, and reconnoitered organizations on a global scale,” the security analysts wrote. “In particular, RedNovember heavily targeted organizations in the US, Taiwan, and South Korea, and, in April 2025, it focused its reconnaissance on over 30 Panamanian government organizations.” 

Wait . . . why are they attacking Panama?!

This heavy concentration on Panamanian government agencies in April isn’t random.

“The timing of the observed reconnaissance closely followed US Defense Secretary Pete Hegseth’s visit to Panama in early April 2025, and may have been triggered at least in part by several remarks made by US President Donald Trump during January and February 2025 that suggested US interest in asserting control over the Panama Canal,” according to the report. 

The Chinese have been colonizing wide swaths of Western cyberspace for years

On April 9, 2025, Secretary Hegseth announced an “expanded partnership” with Panama to secure the canal and counter “China’s maligned influence” in the region.

Shortly after, the roughly $23 billion sale of a majority stake in Hong Kong-based CK Hutchison’s ports business, including two Panama Canal terminals, to a BlackRock-led consortium was reportedly delayed under pressure from China.

Also between June 2024 and July 2025, the Chinese government spies targeted 28 US​​ organizations with a particular focus on “prominent aerospace and defense organizations,” scanning for open ports – although the threat hunters concluded “there was no evidence to suggest a successful compromise or exploitation took place against these entities.”

The attempted break-ins do, however, illustrate how RedNovember has expanded its targeting to include the US defense industrial base and other global defense organizations, they note.

The report documents RedNovember targeting 11 organizations in Japan, seven in the UK, six each in Germany and Brazil, five each in Taiwan, South Korea, and Portugal, three in Italy, two each in Canada, Indonesia, Cambodia, and Argentina, one each in Vietnam and Tajikistan, and 13 in “other” regions.

However, as Recorded Future senior director of strategic intelligence Jonathan Condra told The Register, these are only targets that Insikt Group observed.

“This does not imply that all targeted entities were compromised,” Condra said. “Additionally, it is likely that RedNovember’s activity was broader than what Insikt Group was able to observe based on its visibility and collection.”

Edge devices: the gift (to snoops) that keeps on giving

In April, the crew started abusing Ivanti Connect Secure (ICS) VPN devices, targeting a “specialized US engineering and military contractor,” a “higher education institution associated with the US Navy,” and a “major American newspaper.” While the researchers said there was no evidence of compromise at the first two orgs, it’s unclear from the report if they successfully broke into the news outlet.

And while Insikt Group doesn’t indicate which Ivanti CVE RedNovember used, also in early April, both the US government and private-sector researchers warned that suspected Chinese spies had been exploiting a couple of critical bugs (CVE-2025-22457 and CVE-2025-0282) in these Ivanti VPN appliances.

RedNovember also targeted SonicWall VPN devices in March belonging to an American law firm, a European engine manufacturer, a UK-based defense contractor, and another UK company that provided bespoke cable harnessing, including for aerospace, military and defense, and medical applications.

The threat hunters observed that, in addition to abusing buggy Ivanti and SonicWall gear, RedNovember was poking around, “and likely compromising” other products, including Cisco Adaptive Security Appliance (ASA), F5 BIG-IP, Palo Alto Networks GlobalProtect, Sophos SSL VPN, Fortinet FortiGate instances, and Outlook Web Access (OWA) instances.

Cobalt Strike for the win

After they gained initial access, RedNovember deployed malware including the Pantegana backdoor and SparkRAT remote access tool, both written in open-source Go and working across different operating systems. They used Cobalt Strike, a legitimate pen-testing tool, which has since become the “tool of choice” for cybercriminals and nation-state attackers, including those from China.

“The Chinese have been colonizing wide swaths of Western cyberspace for years,” cybercrime expert and HITRUST VP Cyber Risk Tom Kellermann told The Register. “The RedNovember campaign mimics the types of campaigns leveraged by traditional penetration testers by using prolific tools like Cobalt Strike to infest various networks around the world.”

These attacks necessitate better threat hunting by government agencies “to suppress these backdoors across their networks and supply chains immediately,” he added.

Don’t forget ArcaneDoor or UNC5221

This report comes as authorities in the US and UK, along with Cisco, warn that an unnamed “advanced threat actor” has been exploiting the networking giant’s firewalls since at least November. 

On Thursday, America’s lead cyber-defense agency gave federal​ agencies just 24 hours to identify affected Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, check logs for compromises, and apply patches to CVE-2025-20333 and CVE-2025-20362.

“This campaign is assessed to be connected to the ArcaneDoor activity identified in early 2024,” Chris Butera, acting deputy executive assistant director for cybersecurity at CISA, said during a call with reporters on Thursday. 

The attackers abused these security flaws to modify read-only memory (ROM), thus allowing persistent access even after reboots and software upgrades, according to both Cisco and CISA. 

“The ROM modification is assessed to have begun as early as November 2024 if not earlier,” Butera said. 

CISA tracks the ArcaneDoor malicious activity as separate from the RedNovember attacks, as well as another series of suspected Chinese spy intrusions that Google unveiled earlier this week and attributed to a group it tracks as UNC5221. 

ArcaneDoor first came to light in April 2024, when Cisco patched two zero-day flaws in ASA and FTD firewalls that had already been exploited to break into government and telecom networks. Cisco pinned the activity on a threat crew it dubbed UAT4356.

Cisco, at the time, refused to attribute this malicious activity to a specific country – such as Russia or China. And when asked about the latest round of ArcaneDoor-related intrusions, neither Cisco nor CISA would pin the blame on a particular government-backed goon squad.

“We will continue to work with federal partners and industry partners, but we are not focused on attribution at this time,” Butera said. 

“We attribute these attacks to the same state-sponsored threat actor behind the ArcaneDoor campaign reported in early 2024,” a Cisco spokesperson told The Weekly on Friday. “We strongly recommend that Cisco customers upgrade their devices to the available fixed software and follow guidance in the security advisories outlined on our Event Response Page and in the Cisco Talos blog post.” ®