🇨🇳

TAG-100

APT Group Information theft and espionage 4 zero-day CVEs ETDA ✓

Also Known As 2 names

Storm-2077 RedNovember

Target Countries 6

Countries highlighted in red

Afghanistan United Kingdom Republic of Korea Panama Province of China Taiwan United States

Sectors Targeted

Other Services (except Public Administration) 81 Information 51 Telecommunications 517 Utilities 22 NAICS:31 31 Space Research and Technology 927 Computer and Electronic Product Manufacturing 334 Air Transportation 481 Religious Organizations 8131 Offices of Lawyers 541110 National Security and International Affairs 928 Public Administration 92 Educational Services 61 Finance and Insurance 52

Details

Origin 🇨🇳 CN

Last Updated 25 Jul 2024

MITRE ATT&CK 21

T1027.009-Obfuscated Files or Information T1027.013 - Obfuscated Files or Information T1036 - Masquerading T1046 - Network Service Scanning T1055 - Process Injection T1055-Process Injection T1068 - Exploitation for Privilege Escalation T1071 - Application Layer Protocol T1102.002 - Bidirectional Communication T1190 - Exploit Public-Facing Application T1190-Exploit Public Facing Application T1204 - User Execution T1530 - Data from Cloud Storage Object T1566 - Phishing T1571 - Non-Standard Port T1583 - Acquire Infrastructure T1583.003 - Virtual Private Server T1583.003-Acquire Infrastructure T1590 - Gather Victim Network Information T1595.002 - Vulnerability Scanning T1595.002-Active Scanning

Related Zero-Days 4

CVE-2019-0708 CVE-2022-30190 CVE-2024-24919 CVE-2025-0411

Known Names 2 entries

TAG-100 Recorded Future

Storm-2077 Microsoft

Observed Target Countries 16

Based on ETDA data — countries highlighted in red

Bolivia Cambodia Cuba Djibouti Dominican Republic Fiji France Indonesia Italy Japan Malaysia Netherlands Taiwan UK USA Vietnam

Description

(Recorded Future) Recorded Future’s Insikt Group identified new suspected cyber-espionage activity targeting high-profile government, intergovernmental, and private sector organizations globally. This activity, which we are tracking under the temporary group designator TAG100, has employed open-source remote access capabilities and exploited a wide range of internet-facing appliances for initial access. Using Recorded Future® Network Intelligence data, Insikt Group identified the likely compromise of the secretariats of two major Asia-Pacific intergovernmental organizations by TAG100 using the open-source, multi-platform Go backdoor Pantegana. Other targeted organizations include multiple diplomatic entities and ministries of foreign affairs, as well as industry trade associations and semiconductor supply-chain, non-profit, and religious organizations globally. At this time, Insikt Group is continuing to explore potential attribution for this activity; however, the specific targeting and victimology identified align with a suspected espionage motive.

Tools Used 5

Cobalt Strike CrossC2 LESLIELOADER Pantegana SparkRAT

Reports & References 2

https://go.recordedfuture.com/hubfs/reports/cta-2024-0716.pdf https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/

ETDA Profile

TAG-100

Origin

China

First Seen 2024

Sponsor State-sponsored

Motivation

Information theft and espionage

View on ETDA APT Groups ↗