RedFoxtrot
| Actor Type | Nation State |
|---|---|
| Attributed to Nation | China |
| Associated Threat Actor | People’s Liberation Army (PLA) Unit 69010 |
RedFoxtrot is a suspected Chinese state-sponsored intrusion set tracked by Recorded Future's Insikt Group and linked to the People's Liberation Army (PLA) Unit 69010, located in Ürümqi, Xinjiang. The group has been active since at least 2014 and primarily targets government, defense, and telecommunications sectors across Central Asia, India, and Pakistan.
RedFoxtrot's operations were linked by Insikt Group researchers to Unit 69010's headquarters through lax operational security measures and publicly available procurement and court documents. The group has been observed using both bespoke and publicly available malware families commonly associated with Chinese cyber espionage groups, including Icefog, PlugX, Royal Road, Poison Ivy, ShadowPad, and PCShare.
Specifically RedFoxtrot has been observed by the researchers targeting three Indian aerospace and defense contractors, major telecommunications providers in Afghanistan, India, Kazakhstan, and Pakistan, and multiple government agencies across the region. The group's activities align with the operational remit of Unit 69010.
Insikt Group also note overlaps with other threat groups tracked by security vendors as Temp.Trident and Nomad Panda.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph