Security researchers from Recorded Future have linked a series of cyberespionage campaigns to China-linked Unit 69010. These campaigns date back to 2014 and were aimed at military intelligence gatherings. The attackers behind these campaigns are tracked as RedFoxtrot.

What has happened? 

According to a report released by Recorded Future’s Insikt Group, RedFoxtrot is working for PLA China-linked Unit 69010. Moreover, the unit is running its operation from Ürümqi, a city in the Xinjiang province.
  • The group has mainly targeted aerospace, government, defense, mining, research, and telecommunications organizations based in Afghanistan, Kazakhstan, India, Pakistan, Tajikistan, Uzbekistan, and Kyrgyzstan.
  • As the report stated, activity since 2014 showed a specific focus on Indian targets, which happened at a time of heightened border tensions between the People’s Republic of China (PRC) and India.
  • RedFoxtrot activity overlaps with Temp.Trident and Nomad Panda threat groups. The attackers behind the RedFoxtrot operations used custom malware and publicly available malicious code.
  • The arsenal of the group included malware employed in campaigns linked to Chinese cyberespionage groups, such as Icefog, RoyalRoad, PlugX, ShadowPad, PCShare, and Poison Ivy.

The connection to PLA Unit 69010

Researchers associated Chinese nation-state activity with RedFoxtrot and PLA Unit 69010 due to the lax Operational Security (OpSec) of one of the members of the group behind the long-running campaign.
  • Lax OpSec measures uncovered a connection to the physical address of the headquarters of PLA Unit 69010, No. 553, Wenquan East Road, Shuimogou District, Urumqi, Xinjiang.
  • Insikt Group did not disclose the identity of this individual; however, a huge online presence showed enough evidence indicating that this individual is operating from Urumqi.
  • According to the researcher’s reports in 2020, RedFoxtrot, with multiple other PLA and MSS-affiliated nation-state groups, is believed to have gained access to the ShadowPad backdoor.


PLA-affiliated groups are still prominent within the Chinese cyberespionage threat landscape. Moreover, this intelligence report into PLA activity and Chinese military tactics and motivations provide an extremely useful insight into their working habits. Such information can be used to prepare defensive strategies against such threat groups.

Cyware Publisher