Chinese state-sponsored threat operation RedGolf which has overlaps with Winnti, also known as APT41, Wicked Panda, Bronze Atlas, and Barium has been targeting Windows and Linux systems with the new custom KEYPLUG backdoor, which was first reported by Mandiant to be used in attacks against various U.S. state government networks from May 2021 to February 2022, according to The Hacker News. While victims targeted in the latest RedGolf campaign are yet to be determined, the new attacks are more likely to have been launched to facilitate intelligence gathering efforts, a report from Recorded Future showed. Such RedGolf attacks involved the use of the GhostWolf infrastructure that has 42 IP addresses for KEYPLUG command-and-control, as well as the utilization of PlugX and Cobalt Strike. "RedGolf will continue to demonstrate a high operational tempo and rapidly weaponize vulnerabilities in external-facing corporate appliances (VPNs, firewalls, mail servers, etc.) to gain initial access to target networks," said Recorded Future.