Today’s global cybersecurity landscape is facing persistent threats from a wide range of hacking groups. Rather than isolated vulnerabilities or one-off attacks, Advanced Persistent Threat (APT) campaigns that maintain long-term footholds in infrastructure and continuously collect intelligence are becoming increasingly prevalent. These campaigns have shown a particular focus on infrastructure across the Pacific region, where their operations are growing more structured and coordinated over time. Such threats directly impact regional security and the strategic balance of information.
In this article, we analyze the long-term and recurring activity patterns of RedNovember and APT40 observed in the Pacific region, based on Criminal IP’s Attack Surface Management (ASM) data and threat intelligence analysis. By doing so, we aim to provide perspectives and insights that go beyond isolated indicators of compromise, helping security teams identify and understand campaign-level threat activity rather than fragmented attack signals.
Executive Summary
Key takeaways:
- RedNovember produced a concentrated, high-intensity campaign that targeted edge devices (OWA, VPNs, firewall/load-balancers, remote management panels) in Fiji and other locations between June 2024 to July 2025.
- APT40 conducted a more persistent, wide-area campaign across the “Blue Pacific” (Samoa, PNG, Solomon Islands, Cook Islands), favoring spearphishing plus long-term VPN/remote-access footholds.
- Criminal IP observed reuse of long-standing “malicious” IP infrastructure (Tor exits, old spam/bruteforce hosts) repurposed as C2/management nodes, and heavy use of low-cost/anonymous VPS and dynamic DNS.
- From an external (internet-exposed assets) vantage point, Criminal IP can map scanning, port/service exposure, hosting relationships, certificate issuance, and reconnaissance patterns, but cannot confirm internal compromise or data exfiltration without host/forensic logs.
Scope & methodology:
- Data sources: Criminal IP’s global ASM collection (internet-exposed services, banners, certificates, DNS, ASN/hosting metadata), shared IoCs, and public CERT advisories.
- What we observe: Internet-facing assets and their interaction with known IoC infrastructure (scans, C2 connections, certificate timelines, service banners). We do not access internal networks, mailboxes, or private logs.
- Time window analyzed: Primarily June 2024 to July 2025, with historical context back to ~2019 for infrastructure reuse observations.
Observations of RedNovember Activities (Fiji and Related Activity)
Analysis of RedNovember campaigns reveals a strategic focus on government, financial, transport, and media organizations within the Fiji region. Their primary tactic for gaining initial access involves targeting edge and remote-access devices, such as OWA portals, SSL-VPN/UTM appliances, and load balancers. These activities are characterized by repeated scanning and persistent exploitation attempts, specifically aimed at compromising the external attack surface of critical regional infrastructure.
Based on Criminal IP’s threat infrastructure observations, multiple IoCs associated with RedNovember are hosted within a single US-based VPS ASN cluster. These hosts often present a diverse mix of services, including RDP, SSH, and various web management panels, on the same ASN or subnet. A notable hallmark of this group is their rapid weaponization of vulnerabilities; they frequently initiate exploitation attempts shortly after public PoCs for edge products are released, highlighting the speed at which they can turn exposed assets into entry points.
https://www.criminalip.io/asset/search?query=service%3ASSH+AND+country%3AFJ
The impact of these campaigns ranges from credential theft and VPN token compromise to full-scale lateral movement into critical infrastructure. Such breaches risk the exfiltration of sensitive internal documents and operational data. Consequently, continuous asset monitoring and rapid patching of exposed edge devices are essential to mitigating these persistent threats.
Observations of APT40 Activities (Samoa, Solomon Islands, PNG, Cook Islands)
While RedNovember focuses on rapid edge exploitation, APT40 continues to execute long-running, persistent espionage campaigns across various Pacific island states, including Samoa, the Solomon Islands, Papua New Guinea (PNG), and the Cook Islands. Their methodology relies on a combination of spearphishing and the exploitation of remote-access portals to maintain long-term persistence and exfiltrate sensitive data. The group’s targets are highly strategic, spanning government bodies, law enforcement, maritime/defense sectors, and critical infrastructure such as power and telecommunications.
Criminal IP’s threat infrastructure observations have identified extensive reconnaissance and vulnerability probing targeting Pacific public IP blocks. Exposed assets frequently targeted include VPN gateways (Fortinet, Palo Alto, Cisco), OWA/Exchange portals, and exposed NAS or database services. APT40 often utilizes low-cost VPS providers and SoftEther VPN endpoints as staging or C2 (Command and Control) hubs, frequently leveraging commodity web servers and Synology NAS devices to host their malicious operations.
https://www.criminalip.io/asset/search?query=product%3AOpenSSH+AND+country%3AWS
Regional data from Samoa, PNG, and the Solomon Islands confirms consistent patterns of reconnaissance and exploitation. Even in the Cook Islands, Criminal IP detected scanning from APT40-tagged infrastructure targeting government and telecom ranges. This systematic activity marks APT40 as a persistent threat, demanding continuous vigilance over all external remote-access services.
Cross-Campaign Characteristics & Contrasts
Commonalities
- Both groups favor edge-first playbooks: exploit exposed VPNs, firewalls, mail portals, and management panels as entry vectors.
- Heavy reuse of long-lived “malicious” IPs (Tor exits, spam or brute-force origins) that are repurposed for C2 and management.
- Use of low-cost/anonymous VPS providers and dynamic DNS to bootstrap and rotate infrastructure.
Differences
- RedNovember: Appeared as sharper, higher-intensity waves (notably in Fiji) focused on concentrated exploitation of edge devices within a more limited set of target countries during the observed window.
- APT40: Demonstrates broader, more persistent operations across the Pacific region, combining spearphishing with long-term footholds and extensive use of regional routing/hosting.
Campaign Timeline and Activity Progression
- 2019 ~ 2020: Several IPs acquired malicious reputations (Tor exit nodes, spam, brute-force history). These IPs appear later reused as C2/management hosts.
- Early 2024: Dynamic DNS records (e.g., DuckDNS bindings) observed on several management IPs prior to campaign ramp-up.
- 2024.06 → 2025.07: Main campaign window; significant scanning/exploitation activity targeting edge devices in Fiji and Pacific island states.
- 2025 H1: Notable burst of activity increasing exposed RDP and mail infrastructure (new self-signed certs and webmail deployments observed in 2025 Q1–Q2).
Notable Anomalies and Operational Details
- Tor exit → RDP repurposing: Hosts with long-standing Tor/abuse history were later observed running RDP; this reuse helps evade attribution and reuse existing “malicious” IPs.
- Dynamic DNS + legacy domains: Attackers mix short-lived dynamic DNS names with older registered domains as redundancy/backups.
- RainLoop mail UI as infrastructure: Webmail panels observed in use as either phishing/mail-sending infrastructure, webmail proxy for compromised accounts, or simple C2 panels.
- Cloud-hosted management panel(s): Separate cloud-hosted node(s) with long-lived self-signed CA certs and SSH suggest central control hubs for dispersed VPS clusters.
Recommendations
Such activity by these threat groups demonstrates how exposed edge and remote-access services continue to serve as reliable entry points for advanced campaigns. Organizations should therefore treat internet-facing OWA and mail portals, SSL-VPN and UTM appliances, and remote management interfaces as critical-risk assets, prioritizing timely patching, configuration hardening, and exposure reduction across their external attack surface.
These campaigns also highlight the importance of credential and infrastructure-aware defense. Credentials associated with exposed services should be audited and rotated, VPN session logs reviewed for signs of unauthorized access, and connections from long-standing malicious IPs or high-risk ASNs restricted using reputation-based controls. Maintaining continuous visibility into externally reachable assets is essential to reducing the effectiveness of edge-focused APT activity.
Conclusion
Based on Criminal IP’s ASM and IoC correlation, RedNovember and APT40 demonstrate two complementary models of modern APT activity in the Pacific region. RedNovember relied on concentrated waves of exploitation against internet-exposed edge devices in Fiji, while APT40 pursued broader, long-term access across the Blue Pacific through spearphishing and persistent remote-access footholds.
What unifies these campaigns is their dependence on externally reachable infrastructure. Criminal IP’s externally visible telemetry highlights how scanning activity, service exposure, hosting relationships, and certificate issuance timelines form the foundation of these operations. This reinforces the importance of managing the external attack surface as a prerequisite for detecting, prioritizing, and disrupting campaign-level threat activity.
In relation to this, you can refer to North Korean Hacker Group Bluenoroff Attempts Hacking Attack via Zoom.
To learn more about how Criminal IP’s Attack Surface Management can help identify and manage external exposure, please contact us via the button below.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP (https://www.criminalip.io)
Related Article: https://www.criminalip.io/knowledge-hub/blog/28728