ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > RedFoxtrot

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: RedFoxtrot

NamesRedFoxtrot (Recorded Future)
Nomad Panda (CrowdStrike)
TEMP.Trident (FireEye)
Moshen Dragon (SentinelLabs)
CountryChina China
SponsorState-sponsored, PLA Unit 69010
MotivationInformation theft and espionage
First seen2014
Description(Recorded Future) RedFoxtrot has been active since at least 2014 and predominantly targets government, defense, and telecommunications sectors across Central Asia, India, and Pakistan, aligning with the likely operational remit of Unit 69010. Of particular note, within the past 6 months, Insikt Group detected RedFoxtrot network intrusions targeting 3 Indian aerospace and defense contractors; major telecommunications providers in Afghanistan, India, Kazakhstan, and Pakistan; and multiple government agencies across the region. RedFoxtrot maintains large amounts of operational infrastructure and has likely employed both bespoke and publicly available malware families commonly used by Chinese cyber espionage groups, including Icefog, PlugX, Royal Road, Poison Ivy, ShadowPad, and PCShare. RedFoxtrot activity overlaps with threat groups tracked by other security vendors as Temp.Trident and Nomad Panda.
ObservedSectors: Defense, Government, Telecommunications.
Countries: Afghanistan, India, Kazakhstan, Pakistan.
Tools used8.t Dropper, GUNTERS, Icefog, Impacket, PCShare, PlugX, Poison Ivy, ShadowPad Winnti.
Operations performedAug 20214 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan

Last change to this card: 04 May 2022

Download this actor card in PDF or JSON format

Previous: RedEcho
Next: RedGolf

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]