ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > RedAlpha

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: RedAlpha

NamesRedAlpha (Recorded Future)
DeepCliff (?)
Red Dev 3 (PWC)
CountryChina China
SponsorState-sponsored, possibly PLA and/or Nanjing Qinglan Information Technology Co. Ltd
MotivationInformation theft and espionage
First seen2015
DescriptionThe original research from Citizen Lab did not give this group a name.

(Recorded Future) Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.

Insikt Group’s analysis of infrastructure overlap among the new campaigns reveals wider targeting of the Chinese “Five Poisons,” in addition to South and Southeast Asian governments. Based on the campaign’s targeting of “Five Poisons”-related organizations, overlapping infrastructure, and links to malware used by other Chinese APTs uncovered during our research, we assess with medium confidence that the RedAlpha campaigns were conducted by a Chinese APT.

Infrastructure overlaps have been found with APT 17, Deputy Dog, Elderwood, Sneaky Panda, Icefog, Dagger Panda and NetTraveler, APT 21, Hammer Panda.
ObservedSectors: Government and the Tibetan and Uyghur communities and Falun Gong supporters.
Countries: Hong Kong, India, Myanmar, Pakistan, Sri Lanka, Thailand and South and Southeast Asia.
Tools usedFormerFirstRAT, Gh0st RAT, NetHelp Infostealer, njRAT, RedAlpha and a vulnerability in MS Office.
Operations performed2017RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
2021RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations

Last change to this card: 10 March 2024

Download this actor card in PDF or JSON format

Previous: Reaper, APT 37, Ricochet Chollima, ScarCruft
Next: RedCurl

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]