RedNovember APT expands attacks to aerospace and space industries, raising global cybersecurity concerns

Research Highlights RedNovember’s Sophistication
Analysis by Recorded Future’s Insikt Group, published on 24 September 2025, indicates that RedNovember’s operations now heavily focus on the defense, aerospace, and space industries. The group’s tactics bear similarities to other China-linked APTs, particularly in exploiting edge devices and perimeter infrastructure to conduct attacks while remaining largely undetected.

High-profile international firms have been identified as potential targets, including Cisco, Palo Alto Networks, SonicWall, Fortinet, F5, and Sophos. RedNovember specifically exploits known vulnerabilities in edge devices, highlighting the importance of timely software patching to prevent unauthorized access.

RedNovember combines proof-of-concept exploit weaponization with open-source post-exploitation frameworks, avoiding easily detectable malware. This stealthy approach allows the group to maintain persistence while minimizing the risk of detection.

Implications for the Aerospace and Space Industries
Recent attacks suggest a concerted effort to infiltrate critical aerospace and space infrastructure. Insikt Group reported that RedNovember attempted to compromise a European space-focused research center, illustrating the expanding scope of their operations.

In March 2025, the group targeted a SonicWall SSL-VPN instance tied to a U.K.-based manufacturer specializing in custom cable harnesses for aerospace and defense applications. Last year, RedNovember also probed prominent U.S. aerospace and defense organizations, likely aiming to map critical assets and vulnerabilities in the sector.

These developments underscore the growing cyber risk to the aerospace and space supply chains, emphasizing the need for robust cybersecurity measures, rapid patching, and continuous monitoring to safeguard sensitive infrastructure against state-sponsored cyber threats.