The suspected cyberespionage cluster, previously discovered to target global government and private sector organizations across Africa, Asia, North America, South America and Oceania, is rated as a state-sponsored threat actor.
Recorded Future, who tracked activities under the Moniker Tag-100, has graduated from a hacking group. Rednovember. It is also tracked by Microsoft as Storm-2077.
“Between June 2024 and June 2025, Rednovember (which overlaps with Storm-2077) targeted targeting target appliances from high-profile organizations around the world, using GO-based backdoor pantegana and cobalt strikes as part of the invasion.”
“The group expanded target authority across government and private sector organizations, including defense and aerospace organizations, space organizations, and law firms.”
Some of the new victims of threat leaders include the Central Asian Ministry of Foreign Affairs, the African National Security Agency, the European Government Bureau, and the Southeast Asian government. The group is also believed to have violated at least two US (US) defense contractors, European engine manufacturers, and intergovernmental cooperation agencies focusing on trade in Southeast Asia.
Rednovember, first documented by Future, recorded more than a year ago, detailed the post-Pantegana post-explosion framework and use of sparkrats following the weaponization of known security flaws in several internet-facing boundary appliances from Checkpoint (CVE-2024-24919), Cisco, Citrix, F5, Ivanti and Palo Altolksoves. (CVE-2024-3400), and initial access to SonicWall.
The focus on targeting security solutions such as VPNs, firewalls, load balancers, virtualization infrastructure, and email servers reflects the trends that other China-sponsored hacking groups have entered networks of interest and are increasingly being adopted to maintain long-term sustainability.
A notable aspect of the commerciality of threat actors is the use of pantegana and sparkrats, both open source tools. Recruitment is an attempt to reuse existing programs for their interests and disrupt the attribution efforts that are characteristic of spyers.
The attack uses a publicly available variant of the Go-based loader, Leslieloader, to fire a Spark Rat or Cobalt Strike beacon on the compromised device.
Rednovember is said to use VPN services such as ExpressVPN and Warp VPN to use internet-facing devices, and manage and connect to two servers that communicate with Pantegana, Spark Rat and Cobalt Strike.
Between June 2024 and May 2025, many of the hacking group’s targeting efforts focused on Panama, the US, Taiwan and South Korea. In April 2025, it has been recently found to target safe appliances associated with US-based newspapers and engineering and military contractors.
Recorded Future also said it had identified enemies that likely targeted the Microsoft Outlook Web Access (OWA) portal belonging to a South American country before it visited China.
“Rednovember has historically targeted a diverse range of countries and sectors, suggesting a wide range of intelligence requirements,” the company said. “Rednovender’s activities so far have focused primarily on several key regions, including the US, Southeast Asia, the Pacific region and South America.”
