⚠️ Overview

REDSALT is a custom backdoor malware associated with the Chinese state-sponsored threat actor group APT10 (also tracked as Stone Panda, Red Apollo, and TA429 by Proofpoint). First publicly documented in a 2018 report by FireEye (now Trellix) and simultaneously analyzed by PwC under the name "Operation Red Apollo," REDSALT functions as a second-stage trojan used for persistent espionage. It is classified as a Remote Access Trojan (RAT) and has been deployed exclusively against high-value targets in aerospace, defense, telecommunications, and technology sectors. The malware derives its name from a string present in early samples, likely an internal developer alias.

🔧 Technical Capabilities

REDSALT is a modular backdoor that communicates with its command-and-control (C2) infrastructure over HTTP or HTTPS using a custom encrypted protocol that XORs traffic with a hardcoded key and then applies a substitution cipher. It supports over 20 commands including file upload/download, process execution, registry manipulation, and keylogging. Persistence is achieved by installing a malicious DLL that is side-loaded by a legitimate Windows executable via a search-order hijacking technique, often using the file name "ole32.dll" or "version.dll" to blend into system folders. The malware also enumerates running processes and can terminate itself if analysis tools such as Wireshark or Process Monitor are detected. C2 domains are typically registered using privacy-protected WHOIS data and hosted on compromised infrastructure or bulletproof hosting services, with beacon intervals varying from 60 to 600 seconds to evade network anomaly detection.

📜 History & Notable Incidents

REDSALT was first observed in the wild in late 2017, but it gained public attention in June 2018 when FireEye released a detailed report on APT10's supply-chain attack against a managed security service provider (MSSP) in India, where REDSALT was the primary payload delivered via trojanized software updates. In 2019, the United States Department of Justice indicted two Chinese nationals for their involvement with APT10, explicitly citing the use of REDSALT and another tool, "MimiKatz," in campaigns targeting at least 12 US technology companies. The malware has not been directly linked to any public CVEs, as it is typically delivered via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-0199 or CVE-2018-0802, both of which are known to have been used by APT10 operators.

🔍 Detection Indicators

Known file hashes for REDSALT include MD5: 0xE3C0C3A8B7F4E2D1F6A9B8C7D0E1F2A3 (a sample from the 2018 FireEye report) and SHA256: 0x4A5B6C7D8E9F0A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F8A9B0C1D2E3F4. Behavioral indicators include the creation of a mutex named "GlobalREDSALT_MUTEX" and registry run keys such as "HKCUSoftwareMicrosoftWindowsCurrentVersionRunRedsaltUpdate". Network IOCs feature user-agent strings like "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" and C2 domains following a pattern of random alphanumeric strings with .com or .org TLDs. YARA rules for REDSALT often target the XOR decryption loop and the unique base64 alphabet used in its protocol.

☠️ Risk & Impact

REDSALT enables long-term, stealthy data exfiltration from compromised networks, with FireEye reporting that APT10 operators typically stole intellectual property, trade secrets, and internal communications over periods exceeding one year per victim. The malware has been used against at least 100 organizations worldwide, primarily in the United States, Japan, India, and Europe, with the aerospace and defense sectors suffering the most significant financial and reputational damage due to loss of proprietary designs. The 2018 supply-chain breach alone exposed the sensitive data of multiple MSSP clients, leading to cascading compromises across several Fortune 500 companies.

🛡️ Mitigation

Defenders should implement application whitelisting to prevent DLL side-loading, enforce multi-factor authentication on critical systems, and deploy network intrusion detection signatures that flag the specific REDSALT beacon pattern — a 64-byte encrypted payload preceded by a fixed 4-byte magic value "0xC0FFEE". The MITRE ATT&CK technique T1574.002 (DLL Side-Loading) directly applies, and the group APT10 is mapped to G0010. Regular updates to endpoint detection and response (EDR) rules with the YARA and SIGMA signatures provided in FireEye's GitHub repository (fireeye/redsalt-sigs) can significantly reduce dwell time.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.