Needleminer is a Chinese espionage threat actor also referred to as RedFoxtrot and Nomad Panda. Open sources cited in the content associate the group with the Chinese People’s Liberation Army (PLA), and Recorded Future previously linked RedFoxtrot to PLA Unit 69010. The group is associated with the Quickheal backdoor, including a 32-bit DLL variant named RasTls.dll exporting GetOfficeDatatal, used in campaigns targeting the telecom sector. Reported victimology in the provided content is concentrated on telecom operators in a single Asian country, with additional targeting of a telecom-sector services company and a university in another Asian country. Infrastructure themes also suggest targeting of India’s telecom and space sectors, with lower-confidence possible targeting of the Middle East and South Korea. The Quickheal malware associated with Needleminer was described as credential-stealing malware focused on Mozilla Firefox and likely Microsoft Internet Explorer. It dynamically loads SQLite and NSS libraries to access and decrypt Firefox-stored credentials, uses CryptUnprotectData and CredEnumerateA, and manipulates an Internet Explorer credential-related GUID. It contains hardcoded command-and-control information, a hardcoded HTTP user-agent, and proxy-aware communication logic, including NTLM and Basic proxy authentication strings and apparent retrieval of victim internet settings from the registry. The malware also uses obfuscation and defense-evasion techniques including VMProtect protection, a custom API resolver, indirect LoadLibrary/GetProcAddress-style resolution, position-independent code, and renaming cmd.exe to alg.exe. In the telecom campaign described, Quickheal communicated with the hardcoded C2 domain swiftandfast.net over TCP 443 using a custom protocol designed to resemble SSL traffic while using its own encryption. The broader campaign context in the content describes long-running espionage activity since at least 2021, possibly 2020, involving credential theft, persistence, keylogging, port scanning, registry-hive dumping, Responder-based LLMNR/NBT-NS/mDNS poisoning, and enabling RDP. The report notes tooling overlap with other China-linked clusters, but the content does not establish whether this reflects direct collaboration, tool-sharing, or multiple actors.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
Attributed origin per open-source reporting.
11 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
33 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
PLA-linked intrusion set associated with the QUICKHEAL malware in campaigns targeting the telecom sector, with credential theft capabilities against Firefox and Internet Explorer and infrastructure suggesting targeting of Indian telecom and space-related entities, with possible additional targeting in the Middle East and South Korea.
China-linked espionage activity leveraging the Quickheal backdoor (32-bit DLL RasTls.dll) with VMProtect obfuscation and a custom SSL-like protocol over TCP/443 to a hardcoded C2 (swiftandfast.net), used in telecom-focused intrusions.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.