A China-linked APT group named RedAlpha has been carrying out a mass credential theft phishing campaign, for the last three years, against organizations worldwide.

According to Recorded Future researchers, the hackers are targeting global humanitarian agencies, think tanks, and government organizations.

Domain spoofing

Since 2015, RedAlpha has consistently registered and weaponized hundreds of domains spoofing international organizations.
  • In 2021, it registered 350 domains representing a big spike in its activity.
  • The hackers in this campaign targeted the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), and the American Institute in Taiwan (AIT), among others.
  • They spoofed domains off well-known email service providers Yahoo (135 typosquat domains), Google (91 typosquat domains), and Microsoft (70 typosquat domains).

Targeting of victims

  • Potential victims were directed to dummy email login portals of specific organizations to steal credentials, usernames and passwords.
  • The attackers appear to have targeted individuals directly affiliated with Human rights groups rather than third parties by using legitimate email login portals for specific organizations.
  • For targets other than the humanitarian and government organizations, the phishing pages used generic login pages for popular mail providers.

Other observations

  • Researchers have observed that RedAlpha has repeatedly registered domains spoofing webmail login portals for Taiwanese government and Brazilian and Vietnamese ministries of foreign affairs.
  • Reports indicate that the group’s targets have expanded in recent years to spoof foreign ministry credentials.


The RedAlpha group has created dozens of malicious, fake domains disguised as target domains to steal usernames and passwords. The APT group continues to follow the same playbook and as a result, the latest cyberespionage reports were linked to previous attacks. The latest attacks reused many of the same domains, IP addresses, tactics, malware, and even domain registration information from previous campaigns.
Cyware Publisher