TAG-22
| Actor Type | Commercial Provider |
|---|---|
| Attributed to Nation | China |
| Directly Linked Intrusion Sets | RedHotel , Earth Lusca |
TAG-22 is an intrusion set tracked by Recorded Future and later designated as Red Hotel. The group shows overlaps with the 'Winnti Group' and is identified as being likely linked to Chinese Ministry of State Security (MSS) contractors.
The group is reported as using Winnti and ShadowPad malware as well as Cobalt Strike and Acunetix.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
TAG-22 Threat Reports
Report
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
This report from Recorded Future's Insikt Group outlines activity by the Red Hotel intrusion set. RedHotel is identified as a prominent Chinese ...
References
go.recordedfuture.com
https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdfwww.recordedfuture.com
https://www.recordedfuture.com/blog/chinese-group-tag-22-targets-nepal-philippines-taiwanwww.trendmicro.com
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdfMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1584.004 | Server | Resource Development |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1553.002 | Code Signing | Defense Evasion |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1071.001 | Web Protocols | Command and Control |
| T1595.002 | Vulnerability Scanning | Reconnaissance |
| T1090.002 | External Proxy | Command and Control |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1505.003 | Web Shell | Persistence |
| T1583.003 | Virtual Private Server | Resource Development |
| T1583.001 | Domains | Resource Development |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |