RedDelta Threat Group

The RedDelta threat group targeted the religion, government, and law enforcement sectors across multiple countries including The Vatican and the Catholic Diocese of Hong Kong. The actor used various malware families during the attacks including PlugX, Cobalt Strike, and PoisonIvy to control infected devices and exfiltrate sensitive information. RedDelta used GoDaddy for domain registration and mainly used three hosting providers located in Canada and Hong Kong. Some of the actor's techniques overlap with the Mustang Panda espionage group including DLL side-loading, the use of stack strings for obfuscation, and RtlCompress/LZNT1 for compression.