Operation Red Signature  (Back to overview)

The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organisations.

Associated Families

There are currently no families associated with this actor.

2021-12-16Avast DecodedThreat Intelligence Team
Avast Finds Backdoor on US Government Commission Network
Operation Red Signature
2018-08-21Trend MicroJaromír Hořejší, Joseph C Chen, Kawabata Kohei, Kenney Lu
Operation Red Signature Targets South Korean Companies
9002 RAT PlugX Operation Red Signature

Credits: MISP Project