People’s Liberation Army (PLA) Unit 69010 is believed to have been behind a series of cyber-espionage campaigns dating back to 2014 that have focused on gathering military intelligence from neighboring countries.

RedFoxtrot has primarily targeted aerospace and defense, government, telecommunications, mining, and research organizations in Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan, and Uzbekistan.

RedFoxtrot activity overlaps with groups tracked by other security firms as Temp.Trident and Nomad Panda. The threat actors behind the RedFoxtrot operations employed both custom malware and publicly available malicious code. The arsenal of the group included malware employed in campaigns linked to Chinese cyber espionage groups, including Icefog, PlugX, RoyalRoad, Poison Ivy, ShadowPad, and PCShare.

Due to lax operational security measures employed by this individual, we uncovered a connection to the likely physical address of the headquarters of PLA Unit 69010, No. 553, Wenquan East Road, Shuimogou District, Ürümqi, Xinjiang (新疆乌鲁木齐市水磨沟区温泉东路553 号)

Earlier in 2020 RedFoxtrot, alongside multiple other PLA and MSS-affiliated nation-state groups, likely gained access to the ShadowPad backdoor.

With continued activity from suspected PLA groups such as Tonto Team, Tick, Naikon, and RedFoxtrot, and the emergence of new Chinese threat activity groups with suspected PLA links affiliated groups remain prominent within the Chinese cyber espionage sphere despite increased attention on their MSS counterparts.