ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > RedDelta

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: RedDelta

NamesRedDelta (Recorded Future)
TA416 (Proofpoint)
CountryChina China
MotivationInformation theft and espionage
First seen2020
Description(Recorded Future) From early May 2020, The Vatican and the Catholic Diocese of Hong Kong were among several Catholic Church-related organizations that were targeted by RedDelta, a Chinese-state sponsored threat activity group tracked by Insikt Group. This series of suspected network intrusions also targeted the Hong Kong Study Mission to China and the Pontifical Institute for Foreign Missions (PIME), Italy. These organizations have not been publicly reported as targets of Chinese threat activity groups prior to this campaign.

These network intrusions occured ahead of the anticipated September 2020 renewal of the landmark 2018 China-Vatican provisional agreement, a deal which reportedly resulted in the Chinese Communist Party (CCP) gaining more control and oversight over the country’s historically persecuted “underground” Catholic community. In addition to the Holy See itself, another likely target of the campaign includes the current head of the Hong Kong Study Mission to China, whose predecessor was considered to have played a vital role in the 2018 agreement.

The suspected intrusion into the Vatican would offer RedDelta insight into the negotiating position of the Holy See ahead of the deal’s September 2020 renewal. The targeting of the Hong Kong Study Mission and its Catholic Diocese could also provide a valuable intelligence source for both monitoring the diocese’s relations with the Vatican and its position on Hong Kong’s pro-democracy movement amidst widespread protests and the recent sweeping Hong Kong national security law.

While there is considerable overlap between the observed TTPs of RedDelta and the threat activity group publicly referred to as Mustang Panda, Bronze President (also known as BRONZE PRESIDENT and HoneyMyte), there are a few notable distinctions which lead us to designate this activity as RedDelta:
• The version of PlugX used by RedDelta in this campaign uses a different C2 traffic encryption method and has a different configuration encryption mechanism than traditional PlugX.
• The malware infection chain employed in this campaign has not been publicly reported as used by Mustang Panda.

In addition to the targeting of entities related to the Catholic Church, Insikt Group also identified RedDelta targeting law enforcement and government entities in India and a government organization in Indonesia.
ObservedSectors: Government, Law enforcement, Telecommunications and The Vatican and Catholic Church-related organizations.
Countries: Australia, China, Czech, Ethiopia, Germany, Hong Kong, India, Indonesia, Italy, Myanmar, Slovakia, Spain, Ukraine, USA, Vietnam.
Tools usedCobalt Strike, PlugX, Poison Ivy.
Operations performedAug 2020RedDelta Resumes Its Targeting of the Vatican and Hong Kong Catholic Diocese
Sep 2020Following the Chinese National Day holiday in September, Proofpoint researchers observed a resumption of activity by the APT actor TA416.
Mar 2021Operation “Dianxun”
Operation Diànxùn: Cyberespionage Campaign Targeting Telecommunication Companies
Feb 2022Most recently on February 28, 2022, TA416 began using a compromised email address of a diplomat from a European NATO country to target a different country’s diplomatic offices. The targeted individual worked in refugee and migrant services.

Last change to this card: 03 April 2022

Download this actor card in PDF or JSON format

Previous: RedCurl
Next: RedEcho

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]