Chinese APT Leans on Researcher PoCs to Spy on Other Countries - Dark Reading

Threat IntelligenceCyberattacks & Data BreachesCyber RiskVulnerabilities & ThreatsNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificChinese APT Leans on Researcher PoCs to Spy on Other Countries"RedNovember" is both lazy and punctual: always quick to do its homework on new vulnerabilities, but always getting the answers from cyber defenders.Nate Nelson,Contributing WriterSeptember 24, 20254 Min ReadSource: ahc via Alamy Stock PhotoAn emerging Chinese threat actor has been spying on Asian and Western governments, and high-value companies, using publicly available vulnerability exploits.When cybersecurity researchers publish proof-of-concept (PoC) exploits for software vulnerabilities, their aim is to inform and empower organizations to protect themselves. The catch, of course, is that the same information then becomes available to attackers capable of weaponizing them. In recent years, in fact, attackers have been investing time and effort into spotting and acting on these security disclosures before organizations get the chance.RedNovember (aka Storm-2077) does this better than anyone, according to a new report from threat intelligence vendor Recorded Future. It's an advanced persistent threat (APT) tied to one of the most sophisticated and well-resourced states on the planet, but it possesses no unique malware or techniques. Instead it manages to infiltrate major corporations and government agencies, in alignment with Chinese state interests, simply by beating them to the punch when new PoCs hit the Web.Related:INC Ransomware Group Holds Healthcare Hostage in Oceania"It is important for both the public and private sectors to continue having conversations on this topic," says Sveva Vittoria Scenarelli, principal threat intelligence analyst at Recorded Future, in an email. "The disclosure of vulnerabilities can be approached in thoughtful ways that make everyone, both vendors (or providers) and their customers, more secure, but there is significant nuance in how this process is conducted, why and how disclosure is approached, and in different organizations' ability to respond to such disclosure."RedNovember: Lazy, Yet PunctualIn April and May of last year, threat actors exploited a high-severity arbitrary file read vulnerability in Check Point security gateways (CVE-2024-24919) as a zero-day. The vendor recognized the issue later in May and acknowledged and released a fix for it on May 28. Two days thereafter, security researchers published a proof of concept (PoC).Exploiting zero-day vulnerabilities is not RedNovember's game — perhaps it doesn't have the resources, capabilities, or, more likely, the desire to do so. Instead, it keeps a close eye on vulnerability disclosures, and when a public PoC becomes available, it pounces on it. Barely four days after the CVE-2024-24919 disclosure, evidence suggests that RedNovember was actively probing Check Point's gateways, Recorded Future said.The same went for CVE-2024-3400, a 10 out of 10 CVSS-rated arbitrary file creation issue from that same period that affected Palo Alto's GlobalProtect remote access platform. RedNovember has targeted other edge devices such as SonicWall products, Cisco Adaptive Security Appliance, F5 Network's BIG-IP, Sophos SSL VPN, and Fortinet FortiGate instances, and Ivanti Connect Secure virtual private network (VPN) appliances.Related:Chinese Cyber Threat Lurks In Critical Asian Sectors for YearsAfter cheating off of other people's work to exploit vulnerabilities, RedNovember also deploys other people's malware. It uses the Go-based LeslieLoader to deploy programs like SparkRAT, a cross-operating system (OS) infostealer linked to various Chinese cyber campaigns; Pantegana, a Go-based command-and-control (C2) framework; and Cobalt Strike, a widely used penetration testing suite.RedNovember uses commercial tools for all of its other related activities, too. Commercial VPNs like ExpressVPN help it connect to its own infrastructure. In April 2025, Recorded Future's researchers even found it using the Internet Archive's Wayback Machine — a tool more common among cybersecurity reporters than the threat actors they write about — and they don't know exactly why. Scenarelli imagines, "RedNovember might have been using it as part of its reconnaissance: to try and pinpoint any changes in organizations' Web pages over time, or to scan organizations' live Web pages to see what they look like at the moment of the search, for example. It could even be RedNovember trying to remove paywalls from publications in order to read articles that might be relevant to its reconnaissance activity."Related:LatAm Now Faces 2x More Cyberattacks Than USEspionage Timed With Geopolitical ShiftsUnbelievably, these rather conventional and low-effort cyberattacks consistently bear fruit against government agencies and companies in sensitive sectors. RedNovember's victims span technology companies in Taiwan, manufacturers in Europe, and government entities throughout Southeast Asia (sans China), Recorded Future wrote. Its campaigns closely mirror Chinese state interests, arguably more than most other Chinese APTs.Consider Fjii, as an example. The tiny Pacific Island nation doesn't tend to feature high on most people's lists of countries of geopolitical import, but it's an important cog in China's Belt and Road Initiative. In July 2024, RedNovember targeted Outlook Web Access (OWA) and Sophos UTM logins to spy on more than 50 Fijian organizations in the government, finance, and media, as well as multiple land, sea, and air transportation authorities of particular relevance to Belt and Road.There have been more worrying cases, too. On Dec. 9, 2024, China's military initiated a genital-measuring contest off the coast of Taiwan, deploying nearly 100 warships and vessels to simulate wartime battle and blockade scenarios. The researchers found that on that very same day, and continuing for a week thereafter, RedNovember performed cyber reconnaissance on a location in Taiwan that is home to semiconductor research and development and a Taiwanese military airbase.Scenarelli warns that "RedNovember is highly likely gathering, or attempting to gather, intelligence on matters of clear strategic interest, at specific points in time."Read more about:DR Global Asia PacificAbout the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportCybersecurity Forecast 2026The ROI of AI in SecurityThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space