Research (Insikt)

RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale

Posted: 8th August 2023
By: Insikt Group
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale


New Insikt Group research examines RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. RedHotel's operations span 17 countries in Asia, Europe, and North America from 2021 to 2023. Its targets encompass academia, aerospace, government, media, telecommunications, and research sectors. Particularly focused on Southeast Asia's governments and private companies in specified sectors, RedHotel's infrastructure for malware command-and-control, reconnaissance, and exploitation points to administration in Chengdu, China. Its methods align with other contractor groups linked to China's Ministry of State Security (MSS), indicating a nexus of cyber talent and operations in Chengdu.

2023-redhotel-body.png Schematic of RedHotel’s multi-tiered C2 infrastructure network

RedHotel has a dual mission of intelligence gathering and economic espionage. It targets both government entities for traditional intelligence and organizations involved in COVID-19 research and technology R&D. Notably, it compromised a US state legislature in 2022, highlighting its expanded reach. RedHotel employs a multi-tiered infrastructure with a distinct focus on reconnaissance and long-term network access via command-and-control servers.

Since at least 2019, RedHotel has exemplified a relentless scope and scale of wider PRC state-sponsored cyber-espionage activity by maintaining a high operational tempo and targeting public and private sector organizations globally. The group often utilizes a mix of offensive security tools, shared capabilities, and bespoke tooling.

Recorded Future's Insikt Group observes various Chinese state-sponsored cyber threats, with RedHotel standing out for its broad scope and intensity of activity. RedHotel's campaigns include innovations such as exploiting a stolen code signing certificate and commandeering Vietnamese government infrastructure. Despite public exposure, RedHotel's bold approach suggests it will persist in its activities.

To read the entire analysis with endnotes, click here to download the report as a PDF.