The hackers used variants of the LESLIELOADER tool to deploy SparkRAT on compromised systems, with samples first detected in March 2024, according to the analysis. RedNovember also leveraged legitimate services, including vulnerability scanning tools like PortSwigger’s Burp Suite and VPN services, including ExpressVPN and Cloudflare’s Warp, to manage their infrastructure.
“RedNovember’s strategic use of open-source capabilities allows the threat group to lower operational costs and obfuscate attribution,” researchers explained in the report.
Global targeting across multiple sectors
The group heavily targeted organizations in the US, Taiwan, and South Korea, while also conducting surveillance of government agencies across Panama, and targeting entities in Europe, Africa, Central Asia, and Southeast Asia, the report said.
