ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > RedFoxtrot

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: RedFoxtrot

NamesRedFoxtrot (Recorded Future)
CountryChina China
SponsorState-sponsored, PLA Unit 69010
MotivationInformation theft and espionage
First seen2014
Description(Recorded Future) RedFoxtrot has been active since at least 2014 and predominantly targets government, defense, and telecommunications sectors across Central Asia, India, and Pakistan, aligning with the likely operational remit of Unit 69010. Of particular note, within the past 6 months, Insikt Group detected RedFoxtrot network intrusions targeting 3 Indian aerospace and defense contractors; major telecommunications providers in Afghanistan, India, Kazakhstan, and Pakistan; and multiple government agencies across the region. RedFoxtrot maintains large amounts of operational infrastructure and has likely employed both bespoke and publicly available malware families commonly used by Chinese cyber espionage groups, including Icefog, PlugX, Royal Road, Poison Ivy, ShadowPad, and PCShare. RedFoxtrot activity overlaps with threat groups tracked by other security vendors as Temp.Trident and Nomad Panda.
ObservedSectors: Defense, Government, Telecommunications.
Countries: Afghanistan, India, Kazakhstan, Pakistan.
Tools used8.t Dropper, Icefog, PCShare, Poison Ivy, ShadowPad Winnti.
Information<https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries/>
<https://go.recordedfuture.com/redfoxtrot-insikt-report>

Last change to this card: 07 August 2021

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key