Pantegana
Pantegana is a Go-based backdoor and command-and-control (C2) framework/RAT used in RedNovember operations, a cluster that Recorded Future assesses as highly likely Chinese state-sponsored and that Microsoft tracks as Storm-2077. Reporting describes RedNovember using Pantegana alongside Cobalt Strike, SparkRAT, and LESLIELOADER after compromising internet-facing edge devices and other perimeter systems. Observed initial access and targeting associated with the broader activity include vulnerable VPNs, firewalls, Outlook Web Access, Ivanti Connect Secure, Palo Alto Networks GlobalProtect, SonicWall, Cisco ASA, F5 BIG-IP, Sophos SSL VPN, and Fortinet FortiGate, as well as 3CX and Zimbra in some cases. Pantegana is described as an open-source post-exploitation framework with obfuscation capabilities and as RedNovember’s C&C framework. The activity targeted high-profile government and private-sector organizations globally, including government and diplomatic entities, defense and aerospace organizations, space-related entities, law firms, manufacturing, technology, oil and gas, and research organizations across the U.S., Panama, Asia, Europe, Africa, and Oceania. One reported infrastructure indicator is RedNovember server 198.98.50.218, which was observed also hosting a Pantegana C2. A 2026 memory-forensics paper evaluating Go malware included Pantegana RAT and reported recovery of runtime artifacts such as C2 endpoints from memory.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...the compromise of vulnerable VPNs, firewalls, and other security solutions with Pantegana and Spark RAT...
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueKey initial access vectors include vulnerabilities in internet-facing perimeter devices: SonicWall, Cisco ASA, Fortinet, F5 BIG-IP, and Palo Alto Networks appliances ... Exposed Outlook Web Access (OWA) and VPN infrastructure
Command and Control
1 techniqueC2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan referenced as an evaluation sample in the paper; the framework recovered runtime artifacts and execution state from memory.
Malware/tool referenced as used in a China-linked espionage campaign; no further details in excerpt.
Go-based backdoor used by the RedNovember intrusion set as part of its commodity tooling stack to maintain access and support follow-on activity.
Used in intrusions following compromise of edge security devices (VPNs/firewalls) to provide malicious capability within victim environments; also referenced as a communications endpoint/tooling used by the operation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.