RedHotel is a China-aligned cyber-espionage cluster active since at least mid-2019 and publicly disclosed in consolidated form by Recorded Future Insikt Group in August 2023 ("RedHotel, A Prolific, Chinese State-Sponsored Group Operating at a Global Scale"). The cluster is widely assessed by Recorded Future, Mandiant, Microsoft, Trend Micro, and other vendor research teams to operate in alignment with Chinese state interests, likely with MSS (Ministry of State Security) tasking, and operationally adjacent to the broader Winnti / APT41 / Earth Lusca ecosystem of China-aligned actors. No formal US, UK, or EU government attribution to a specific PRC ministry or unit has been published; the "MSS-aligned" framing rests on vendor research and is suspected rather than formally confirmed. RedHotel is treated as a distinct operational cluster rather than an alias for Earth Lusca (already covered in earth_lusca.yaml). Recorded Future's seminal August 2023 disclosure was explicit that RedHotel shares tooling (Cobalt Strike, ShadowPad, FunnySwitch, BadIIS, PlugX) and ecosystem affiliation with these adjacent clusters but operates a distinct victimology, infrastructure, and operational tempo. Early pre-2023 reporting frequently conflated RedHotel activity with the broader Aquatic Panda / Earth Lusca / TAG-22 / Charcoal Typhoon activity stream.
the Recorded Future August 2023 consolidation established the distinct cluster identity. A defining feature of RedHotel, and the source of the cluster's Recorded-Future-assigned name, is sustained targeting of the hospitality industry alongside the more conventional government and religious-organization espionage portfolio. Hotels and resorts in Hong Kong, Macau, Southeast Asia, and Europe provide rich collection environments for travel-pattern collection against business and diplomatic travelers passing through these high- throughput regional hubs.
hospitality-industry IT environments are often comparatively less hardened than government environments. The hospitality-targeting signature differentiates RedHotel from the otherwise-similar Earth Lusca operational profile and from the older DarkHotel cluster (South-Korea-aligned, separately tracked, comparable hospitality-targeting tradecraft but operationally and attribution-wise distinct). Recorded Future's August 2023 disclosure documented operations against organizations in 17 countries spanning Asia (Hong Kong, Macau, Taiwan, Vietnam, Mongolia, Tibet, India, Indonesia, Malaysia, Pakistan, Philippines, Thailand), Europe (Italy, Belgium, Germany), and North America (United States) from 2019 through 2023. Victim categories include government, religious organizations (Tibetan, Catholic, Falun Gong, Uyghur diaspora), academic, media, telecommunications, technology, manufacturing, and the hospitality industry. The substantial overlap of religious-organization and Tibetan-diaspora victim categories between RedHotel and Earth Lusca is one source of the early conflation of the two clusters and remains the strongest signal of both clusters operating within a shared MSS-adjacent ecosystem. Operationally RedHotel operates a comparatively standard China- aligned toolkit with extensive Winnti-ecosystem tooling overlap. Core implants include ShadowPad (the modular Winnti-shared implant), PlugX / Korplug, FunnySwitch backdoor, and Winnti malware family components, with heavy reliance on Cobalt Strike Beacon for hands-on-keyboard operations. BadIIS web-shell deployment for long-dwell persistence in compromised IIS-hosted web environments, with SEO-fraud and traffic-redirection components, has been observed in RedHotel-adjacent activity though the financial-motivation component is less prominent in RedHotel-specific reporting than in Earth Lusca reporting. A handful of operational notes: First, the cluster is operationally distinct from the older DarkHotel cluster (South-Korea-aligned, Kaspersky 2014 disclosure, heavy hotel-WiFi-targeting against business travelers). The naming similarity is coincidental.
the two clusters are not related operationally or by attribution. Second, the cluster is operationally adjacent to but distinct from Earth Lusca / Aquatic Panda / Charcoal Typhoon (already covered as earth_lusca.yaml in this corpus). The two clusters share tooling and ecosystem affiliation but operate distinct victimologies, infrastructure, and tempo. Pre-2023 reporting that conflates the two should be re-read with the Recorded Future August 2023 consolidation in mind. Third, attribution to MSS specifically, though dominant in vendor reporting, has not been confirmed by formal state attribution and should be presented as suspected.