A Chinese state-sponsored hacker group called RedNovember conducted a global espionage campaign targeting critical infrastructure between June 2024 and July 2025, compromising defense contractors, government agencies and major corporations, according to a report by cybersecurity firm Recorded Future.
Recorded Future researchers said the group systematically targeted internet-facing enterprise appliances, successfully compromising SonicWall VPN devices, Ivanti Connect Secure appliances, Cisco Adaptive Security Appliances, F5 BIG-IP systems, Sophos SSL VPN products and Fortinet FortiGate firewalls. The report said RedNovember breached at least two U.S. defense contractors and more than 30 Panamanian government agencies, and exploited Ivanti flaws identified as CVE-2023-46805 and CVE-2024-21887 for which patches were available since January 2024.
Researchers found RedNovember could weaponize newly disclosed vulnerabilities faster than many organizations could deploy patches, often within 72 hours. The report said when proof-of-concept code for Check Point VPN vulnerability CVE-2024-24919 was published on May 30, 2024, the group was attacking vulnerable systems by June 3, and similar rapid exploitation was observed against Palo Alto Networks GlobalProtect devices.
Rather than relying exclusively on custom malware, Recorded Future said RedNovember used publicly available tools including the Go-based Pantegana backdoor, the Cobalt Strike framework and SparkRAT, deployed SparkRAT via variants of LESLIELOADER, and leveraged legitimate services and scanners such as PortSwigger’s Burp Suite, ExpressVPN and Cloudflare Warp. The researchers wrote that this approach lowers operational costs and complicates attribution.
The report described broad targeting across the United States, Taiwan, South Korea, Europe, Africa, Central and Southeast Asia, and South America, with persistent access in some intrusions lasting months. Researchers said they tracked compromises from July 2024 through March 2025, including a Taiwanese IT company that remained compromised, and documented intrusions into law firms handling sensitive negotiations and an attempted breach of a major U.S. newspaper.
Recorded Future noted that several campaigns coincided with geopolitical developments and pointed to surveillance of more than 30 Panamanian agencies weeks after a U.S. announcement to expand cooperation to secure the canal zone, citing a U.S. government notice that it had announced the partnership. The researchers recommended enhanced monitoring of edge devices and rapid patch deployment for network infrastructure, and said RedNovember is likely to continue targeting such devices soon after vulnerabilities are disclosed.