Chinese Cyberspies Hacked US Defense Contractors

Between July 2024 and July 2025, the threat actor, tracked as RedNovember, was seen targeting high-profile organizations globally, across government, defense, aerospace, and other industries. For initial access, the cyberspies compromised edge devices from Cisco, F5, Fortinet, Ivanti, Palo Alto Networks, SonicWall, and Sophos, as well as Outlook Web Access (OWA) instances. As part of the attacks, RedNovember deployed a Go-based backdoor dubbed Pantegana, offensive security tools such as Cobalt Strike and SparkRAT, and open source tools for initial access, reconnaissance, and follow-up activities. According to Recorded Future, RedNovember’s attack campaigns mainly focus on reconnaissance and the exploitation of newly disclosed vulnerabilities in edge devices, including Palo Alto Networks GlobalProtect firewalls, Ivanti Connect Secure instances, Check Point VPN gateways, Sophos UTM login portals, SonicWall SonicOS and SonicWall SSL-VPN instances, and F5 BIG-IP devices.

To read the complete article see: Security Week .