1 MEGA PROJECTS TO BE IMPLEMENTED IN THE CAPITAL CITY RANKED WWW.MONTSAME.MN PUBLISHED:2025/01/23      2 THE GOVERNMENT OF MONGOLIA DISCUSSES DRAFT AGREEMENT ON ESTABLISHING THE GASHUUNSUKHAIT-GANTSMOD CROSS-BORDER RAILWAY WWW.MONTSAME.MN PUBLISHED:2025/01/23      3 MONGOLIA SEES DEEPER US TIES UNDER NEW TRUMP ADMINISTRATION: PM WWW.BARRONS.COM PUBLISHED:2025/01/22      4 MONGOLIA, EBRD PARTNER TO ADVANCE RENEWABLE ENERGY WWW.REUTERS.COM PUBLISHED:2025/01/22      5 FRANCE AND MONGOLIA INVESTMENT AGREEMENT TO COLLABORATE ON $1.6 BILLION URANIUM MINING PROJECT WWW.EUROPEANBUSINESSMAGAZINE.COM PUBLISHED:2025/01/22      6 ENTRY INTO FORCE OF THE AGREEMENT BETWEEN THE GOVERNMENT OF JAPAN AND THE GOVERNMENT OF MONGOLIA CONCERNING THE TRANSFER OF DEFENSE EQUIPMENT AND TECHNOLOGY WWW.MOFA.GO.JP PUBLISHED:2025/01/22      7 MONGOLIA TO COOPERATE WITH THE WORLD ECONOMIC FORUM ON DEVELOPING “STRATEGIC INTELLIGENCE PLATFORM” WWW.MONTSAME.MN PUBLISHED:2025/01/22      8 AMENDED FEASIBILITY STUDY FOR THE ZUUVCH OVOO AND DULAAN UUL DEPOSITS APPROVED WWW.MONTSAME.MN PUBLISHED:2025/01/22      9 GLENCORE OPEN TO DEALS AS INVESTORS BRACE FOR MORE MINING M&A WWW.REUTERS.COM PUBLISHED:2025/01/22      10 INDUSTRIAL PRODUCTION GROWS BY 5% WWW.UBPOST.MN PUBLISHED:2025/01/21      ГАЗРЫН ТОСНЫ ҮЙЛДВЭРИЙН ТӨСӨЛД ЭНЭТХЭГЭЭС НЭМЖ ЗЭЭЛ АВАХ ХЭЛЭЛЦЭЭРИЙГ ДЭМЖЛЭЭ WWW.EAGLE.MN НИЙТЭЛСЭН:2025/01/23     AFR: "RIO TINTO" $295 САЯАР ОЮУТОЛГОЙН ТАТВАРЫН МАРГААНЫГ ШИЙДВЭРЛЭХ САНАЛЫГ МОНГОЛ УЛСЫН ЗАСГИЙН ГАЗАРТ ТАВЬЖЭЭ WWW.BLOOMBERGTV.MN НИЙТЭЛСЭН:2025/01/23     “ТӨРИЙН БАНК” ХК-ИЙН ЦЭВЭР АШИГ 2024 ОНД ₮108 ТЭРБУМ БОЛЖ, ӨМНӨХ ОНООС 13.9 ХУВИАР ӨСЖЭЭ WWW.BLOOMBERGTV.MN НИЙТЭЛСЭН:2025/01/23     Х.НЯМБААТАР: АВТОМАШИНЫ НҮҮРСЭН ЯНДАН ДЭЭР ТЭМДЭГЛЭГЭЭ ТАВИНА WWW.EAGLE.MN НИЙТЭЛСЭН:2025/01/23     2020 ОН ХҮРТЭЛ НИЙСЛЭЛИЙГ ХӨГЖҮҮЛЭХ ТӨЛӨВЛӨГӨӨ 29.6 ХУВИЙН БИЕЛЭЛТТЭЙ БАЙНА WWW.BLOOMBERGTV.MN НИЙТЭЛСЭН:2025/01/23     “ENTRÉE RESOURCES” ХААЛТТАЙ ХҮРЭЭНД C$5.7 САЯЫГ БОСГОНО WWW.BLOOMBERTV.MN НИЙТЭЛСЭН:2025/01/22     “XANADU MINES” КОМПАНИ “ZIJIN MINING”-ТАЙ II САРД ХЭЛЭЛЦЭЭ ХИЙНЭ WWW.BLOOMBERTV.MN НИЙТЭЛСЭН:2025/01/22     ДЭЗФ: МОНГОЛД ОЙРЫН ЖИЛҮҮДЭД ТУЛГАРАХ ЭРСДЭЛҮҮДИЙН НЭГДҮГЭЭРТ АЖИЛЛАХ ХҮЧНИЙ ХОМСДОЛ ОРЖ БАЙНА WWW.BLOOMBERGTV.MN НИЙТЭЛСЭН:2025/01/22     Н.УЧРАЛ: "ЭРДЭНЭС ТАВАНТОЛГОЙ" КОМПАНИЙН УДИРДАХ ТАВАН АЛБАН ТУШААЛД ОЛОН УЛСЫН ТЕНДЕР ЗАРЛАЛАА WWW.EAGLE.MN НИЙТЭЛСЭН:2025/01/22     МОНГОЛ УЛСЫН ЗАСГИЙН ГАЗАР ЕВРОПЫН СЭРГЭЭН БОСГОЛТ, ХӨГЖЛИЙН БАНКТАЙ СЭРГЭЭГДЭХ ЭРЧИМ ХҮЧИЙГ ХӨГЖҮҮЛЭХЭД ХАМТРАН АЖИЛЛАНА WWW.EAGLE.MN НИЙТЭЛСЭН:2025/01/22    

Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain www.recordedfuture.com

Between July 2023 and December 2024, Insikt Group observed the Chinese state-sponsored group RedDelta targeting Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia with an adapted infection chain to distribute its customized PlugX backdoor. The group used lure documents themed around the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia, and meeting invitations, including an Association of Southeast Asian Nations (ASEAN) meeting. RedDelta likely compromised the Mongolian Ministry of Defense in August 2024 and the Communist Party of Vietnam in November 2024. The group conducted spearphishing targeting the Vietnamese Ministry of Public Security, but Insikt Group observed no evidence of successful compromise. From September to December 2024, RedDelta likely targeted victims in Malaysia, Japan, the United States, Ethiopia, Brazil, Australia, and India.
In late 2023, RedDelta evolved the first stage of its infection chain to leverage a Windows Shortcut (LNK) file likely delivered via spearphishing. In 2024, the group transitioned to using Microsoft Management Console Snap-In Control (MSC) files. Most recently, RedDelta used spearphishing links to prompt a victim to load an HTML file remotely hosted on Microsoft Azure. Since July 2023, RedDelta has consistently used the Cloudflare content distribution network (CDN) to proxy command-and-control (C2) traffic, which enables the group to blend in with legitimate CDN traffic and complicates victim identification. Other state-sponsored groups, including Russia’s BlueAlpha, have similarly leveraged Cloudflare to evade detection.
RedDelta’s activities align with Chinese strategic priorities, focusing on governments and diplomatic organizations in Southeast Asia, Mongolia, and Europe. The group’s Asia-focused targeting in 2023 and 2024 represents a return to the group’s historical focus after targeting European organizations in 2022. RedDelta’s targeting of Mongolia and Taiwan is consistent with the group’s past targeting of groups seen as threats to the Chinese Communist Party’s power.
About RedDelta:
RedDelta has been active since at least 2012 and has focused on targeting Southeast Asia and Mongolia. The group has routinely adapted its targeting in response to global geopolitical events. RedDelta targeted the Vatican and other Catholic organizations with PlugX before 2021 talks between China and the Vatican. The has group compromised law enforcement and government entities in India, a government organization in Indonesia, and other targets across Myanmar, Hong Kong, and Australia.
In 2022, RedDelta shifted toward increased targeting of European government and diplomatic entities following Russia's invasion of Ukraine. This activity used an infection chain that began by delivering an archive file (ZIP, RAR, or ISO), which was likely delivered via spearphishing. The file contained a Windows Shortcut (LNK) file disguised with a double extension (such as .doc.lnk) and a Microsoft Word icon. Hidden folders within the archive contained three files used to complete dynamic-link library (DLL) search order hijacking: a legitimate binary, a malicious DLL loader, and an encrypted PlugX payload that was ultimately loaded into memory. User execution of the Shortcut file led to DLL search order hijacking. In November 2022, RedDelta evolved its tactics to stage the ISO file on a threat actor-controlled domain.
In March 2023, Insikt Group identified RedDelta targeting Mongolia using a similar infection chain that started with a container file (RAR, ZIP, ISO) consisting of an LNK file that triggered a DLL search order hijacking triad located within a hidden nested subdirectory. Decoy documents included an invitation from the World Association of Mongolia and a document claiming to be a BBC news interview about Tibetan Buddhism and Mongolia. RedDelta targeted:
Members of multiple Mongolian non-governmental organizations (NGOs), including a human rights and pro-democracy NGO focused on the Inner Mongolia Autonomous Region
Mongolian Buddhist activists in Mongolia and Japan
Academic professionals in Mongolia and Japan
Developers of two Mongolian mobile applications
Mitigations:
To detect and mitigate RedDelta activity, organizations should:
Use YARA and Sigma rules provided by Insikt Group to detect RedDelta Windows Installer (MSI), DLL, and LNK files (see below).
Configure intrusion detection systems (IDS), intrusion prevention systems (IPS), and other network defense mechanisms to alert on or block connection attempts from external IP addresses and domains associated with RedDelta (see below).
Keep software and applications — particularly operating systems, antivirus software, and core system utilities — up to date.
Filter email correspondence and scrutinize attachments for malware.
Conduct regular system backups and store them offline and offsite to ensure they are inaccessible via the network.
Adhere to strict compartmentalization of company-sensitive data, institute role-based access, and limit company-wide data access.
Deploy client-based host logging and intrusion detection capabilities to identify and thwart attacks early.
Prevent threat actors from bypassing security by disabling outdated authentication methods.
Implement tools like network IDS, NetFlow collection, host logging, and web proxy, alongside manual monitoring of detection sources.
Practice network segmentation and ensure special protections exist for sensitive information, such as multifactor authentication, and restricted accesss.
Leverage the Recorded Future® Third-Party Intelligence module and Threat Intelligence Browser Extension for real-time monitoring and prioritized vulnerability patching.
Review public guidance (1, 2, 3, 4) and Insikt Group’s “Charting China’s Climb as a Leading Global Cyber Power” report for comprehensive recommendations for mitigating Chinese advanced persistent threat activity more broadly.
Outlook:
Insikt Group anticipates that RedDelta will continue targeting organizations worldwide with its customized PlugX backdoor, focusing on Southeast Asia and China’s periphery, including Mongolia and Taiwan. Likely targets include governments, NGOs, activists, and religious organizations. RedDelta has continually evolved its infection chain and is anticipated to continue doing so in the future in response to major geopolitical developments.
To read the entire analysis, click here to download the report as a PDF.


Published Date:2025-01-10