Critical organisations worldwide have been warned about an ongoing credential theft phishing campaign executed by the China-based RedAlpha advance persistent threat (APT) group. This phishing campaign has been going on for the past three years and targets global government firms, think tanks, and humanitarian groups.
The initial activities detected from the RedAlpha APT were in 2015, when the threat group began registering and weaponising malicious domains to masquerade numerous corporations and organisations worldwide for their phishing campaigns.
For the most recent activity of the APT group, researchers found over 350 malicious domains that RedAlpha operators registered.
The RedAlpha APT victimised numerous humanitarian groups over the years.
According to the reported incidents, the RedAlpha operators had targeted several human rights agencies from different parts of the world, including Amnesty International, International Federation for Human Rights (FIDH), American Institute in Taiwan (AIT), the Mercator Institute for China Studies (MERICS), and Radio Free Asia (RFA).
One of the campaigns of the threat group involves spoofing domains of popular email service providers, such as Yahoo, Google, and Microsoft. Each respective email service provider has been discovered with 135, 91, and 70 typosquat domains.
Victims who bite the lure were redirected to the malicious email login portals of the spoofed companies, where they are instructed to enter their details and credentials, which the threat actors would harvest and be sent to their C2 servers.
It is also found that the campaign directly targets individuals associated with humanitarian groups. These victims are directed toward malicious sites of specific spoofed organisations. Meanwhile, other victims outside the targeted sector are directed toward fake generic email service providers’ login pages.
Researchers note that the RedAlpha APT has already created hundreds of spoofed and malicious domains, disguising as legitimate companies to steal credentials from their victims.
The latest cyberespionage operations spotted from the group were linked to their old attacks since they have followed a similar playbook. This playbook includes recycling the same domains, IP addresses, domain registration info, and malware strains from their older campaigns.