Cybersecurity: RedNovember Threat Group Analysis

In mid-2024, cybersecurity analysts identified a rise in targeted attacks on government, defense, and technology sectors globally.

These attacks were attributed to a newly identified threat group named RedNovember, which uses open-source and commercial tools to deploy a covert Go-based backdoor.

Exploitation and Post-Exploitation Activities

Initial breaches were often facilitated by exploiting Internet-facing devices, such as VPN appliances, load balancers, and webmail portals, using publicly available proof-of-concept exploits.

Following initial access, attackers deployed the Pantegana command-and-control (C2) framework alongside variants of Cobalt Strike and SparkRAT, enabling long-term access and undetected espionage activities.

Reconnaissance and Targeting

Recorded Future analysts identified RedNovember’s operations following a reconnaissance phase in July 2025, targeting Ivanti Connect Secure VPN appliances across multiple regions.

This campaign involved scanning several government ministries and private sector entities, subsequently delivering a malicious Go loader disguised as a legitimate software update.

Targets included foreign affairs directorates in Southeast Asia and defense contractors in the United States, indicating a focus on high-value targets.

Exploitation Techniques

RedNovember favored readily available exploits such as CVE-2024-3400 for Palo Alto GlobalProtect and CVE-2024-24919 for Check Point VPN gateways, emphasizing quick and high-volume initial access over custom malware development.

The group’s activities often coincided with geopolitical events, suggesting a possible state-sponsored intelligence motive.

Infection Mechanism

A crucial tool used by RedNovember is LESLIELOADER, a Go-based loader that authenticates and decrypts its payload before execution in memory.

The loader is distributed through spear-phishing emails with a PDF lure. Upon execution, LESLIELOADER performs an AES decryption routine to unpack SparkRAT or Cobalt Strike Beacon modules.

YARA rules provided by Recorded Future illustrate this decryption behavior:

rule MALLESLIELOADER {
    meta:
        author = "Insikt Group, Recorded Future"
        description = "Detects LESLIELOADER Malware used by RedNovember"
    strings:
        $s1 = ".DecrptogAES"
        $s2 = ".UnPaddingText1"
    condition:
        uint16(0) == 0x4D5A and all of ($s*)
}

Once deployed, the loader contacts a hardcoded domain to retrieve the encrypted payload, decrypting it directly into memory to avoid disk writes and evade antivirus detection.

The backdoor establishes persistence by creating a Windows registry Run key and disabling event log features to complicate forensic analysis.

Mitigation Strategies

Defensive measures include monitoring known C2 domains, enforcing strict patch management for perimeter devices, and employing behavior-based detection to identify in-memory loaders.

Continuous network segmentation and enhanced monitoring of external-facing devices are essential to mitigate this persistent threat.