Chinese state-sponsored hacking group RedGolf has been linked to the use of a custom Windows and Linux backdoor called KEYPLUG.
The group, which is believed to have been active for many years, has a history of developing and using custom malware families, and has the ability to weaponize newly reported vulnerabilities.
Furthermore, the group has been attributed to a set of attacks targeting government entities in Sri Lanka in early August 2022 that leveraged a novel implant called DBoxAgent to deploy KEYPLUG. The group has been observed utilizing a mixture of both traditionally registered domains and Dynamic DNS domains to act as communication points for Cobalt Strike and PlugX.
Recorded Future has detected a cluster of KEYPLUG samples and operational infrastructure used by the hacking group from at least 2021 to 2023. The GhostWolf infrastructure consists of 42 IP addresses that function as KEYPLUG command-and-control.
RedGolf is believed to be conducting this activity for intelligence purposes rather than financial gain, due to the overlaps with previously reported cyberespionage campaigns.
Organizations are recommended to apply patches regularly, monitor access to external-facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detections.
The findings come as Trend Micro revealed that it discovered more than 200 victims of Mustang Panda attacks, as part of a far-reaching cyber espionage effort orchestrated by various sub-groups since 2022. The cyber strikes have been detected in Asia, followed by Africa, Europe, the Middle East, Oceania, North America, and South America.
