RedHotel
| Actor Type | Commercial Provider |
|---|---|
| Attributed to Nation | China |
| Directly Linked Intrusion Sets | TAG-22 , Earth Lusca |
| Associated Threat Actor | i-SOON |
RedHotel is a group tracked by Recorded Future's Insikt Group and formerly referred to as TAG-22.
RedHotel is a highly active Chinese state-sponsored threat activity group - showing persistence, rapid operational pace, and extensive global targeting. From 2021 to 2023, RedHotel has targeted at least 17 countries across Asia, Europe, and North America, focusing on sectors like academia, aerospace, government, media, telecommunications, and research and development.
RedHotel employs a sophisticated multi-tiered infrastructure network for malware command-and-control, reconnaissance, and exploitation. Evidence suggests infrastructure is administered from China-based IP addresses geolocated in Chengdu, Sichuan province.
The group's tactics, tools, and procedures closely resemble those of other private contractor groups affiliated with China's Ministry of State Security (MSS), including Chengdu-based threat actors like RedGolf (also known as APT41 or Brass Typhoon). Chengdu's documented history of MSS-linked contractors, some with ties to local universities, suggests it serves as a hub for MSS-related cyber talent development and operations .
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
RedHotel Threat Reports
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
This report from Recorded Future's Insikt Group outlines activity by the Red Hotel intrusion set. RedHotel is identified as a prominent Chinese ...
References
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1584.004 | Server | Resource Development |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1553.002 | Code Signing | Defense Evasion |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1071.001 | Web Protocols | Command and Control |
| T1595.002 | Vulnerability Scanning | Reconnaissance |
| T1090.002 | External Proxy | Command and Control |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1505.003 | Web Shell | Persistence |
| T1583.003 | Virtual Private Server | Resource Development |
| T1583.001 | Domains | Resource Development |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |