Irish Information Security Forum

RedHotel Group Operating at a Global Scale

Source: Insikt Group - Cyber Threats Analysis



RedHotel is one of the most prominent, active, Chinese state-sponsored threat activity groups tracked by Recorded Future’s Insikt Group based on their persistence, high operational tempo, and global targeting scope


Using Recorded Future® Network Intelligence, Insikt Group have identified RedHotel targeting at least 17 countries within Asia, Europe, and North America from 2021 to 2023, across academia, aerospace, government, media, telecommunications, and research and development (R&D) sectors. RedHotel primarily poses a threat to government organizations worldwide, particularly within the Southeast Asia region, as well as private sector companies operating within the highlighted targeted sectors.


"We identified RedHotel employing a multi-tiered infrastructure network for malware command-and-control (C2), reconnaissance, and exploitation, and observed likely administration of this infrastructure from China-based IP addresses geolocating to Chengdu, Sichuan province, China."


Earlier industry findings on RedHotel activity also further corroborate that the group likely operates out of Chengdu. In addition, RedHotel’s targeting purview, tooling, and modus operandi closely resembles the operations of other private contractor groups affiliated with China’s Ministry of State Security (MSS), including other Chengdu-based threat activity groups such as RedGolf (aka APT41, Brass Typhoon).

The well-documented activity of multiple MSS-linked contractors located in Chengdu, several of which have displayed close ties to local universities, provides evidence that the city is likely a hub of MSS-linked cyber talent development and operations (1, 2). Organizations can defend against RedHotel activity by prioritizing hardening and vulnerability patching of internet-facing appliances (particularly corporate VPN, mail server, and network devices), logging and monitoring of these devices, and implementing network segmentation to limit exposure and lateral movement potential to internal networks.

RedHotel activity overlaps with publicly reported activity under the aliases Aquatic Panda (CrowdStrike), BRONZE UNIVERSITY (SecureWorks), Charcoal Typhoon (Microsoft), Earth Lusca (Trend Micro), and Red Scylla (PWC), and was previously tracked by Recorded Future under the temporary group designator TAG-22.

Key Findings

  • Based on targeting trends, RedHotel likely operates with a mission of both intelligence gathering and economic espionage. The group has frequently targeted government organizations for traditional intelligence collection, but has also engaged in the targeting of COVID-19 research and technology R&D organizations.
  • In July 2022, RedHotel likely compromised a US state legislature, with infrastructure linked to this organization observed regularly communicating with RedHotel-attributed ShadowPad and Cobalt Strike C2 IP addresses.
  • RedHotel has operated 2 distinct infrastructure clusters, with one largely dedicated to reconnaissance and initial access operations and a second to maintaining long-term access into targeted networks via command-and-control (C2) servers.
  • The group has been active since at least 2019 and employs a mixture of offensive security tools (such as Cobalt Strike and Brute Ratel), closed-source but shared capabilities (such as ShadowPad and Winnti), and bespoke tooling (such as Spyder and FunnySwitch) across campaigns.

Download Full Report

RedHotel Chinese Cyber Group Threat Analysis




If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland



We would like to thank these generous sponsors for their support. 

crowdstrike logo

zscaler logo



Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more


secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy Statement  - Sponsorship  - Cybersecurity News Topics  - Cybersecurity Resources  - Produced by
LinkedIn Twitter