1. Home
  2. Groups
  3. RedEcho

RedEcho

RedEcho is a People’s Republic of China-related threat actor associated with long-running intrusions in Indian critical infrastructure entities. RedEcho overlaps with various other PRC-linked threat groups, such as APT41, and is linked to ShadowPad malware use through shared infrastructure.[1][2]

ID: G1042
Version: 1.0
Created: 21 November 2024
Last Modified: 13 March 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

RedEcho has registered domains spoofing Indian critical infrastructure entities.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

RedEcho network activity is associated with SSL traffic via TCP 443 and proxied HTTP traffic over non-standard ports.[1]
Enterprise T1568 Dynamic Resolution

RedEcho used dynamic DNS domains associated with malicious infrastructure.[1]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

RedEcho uses SSL for network communication.[1]
Enterprise T1571 Non-Standard Port

RedEcho has used non-standard ports such as TCP 8080 for HTTP communication.[1]

Software

ID Name References Techniques
S0596 ShadowPad RedEcho has used ShadowPad during intrusions.[1][2] Application Layer Protocol: DNS, Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Data Encoding: Non-Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Indicator Removal, Ingress Tool Transfer, Modify Registry, Non-Application Layer Protocol, Obfuscated Files or Information: Fileless Storage, Obfuscated Files or Information, Process Discovery, Process Injection, Process Injection: Dynamic-link Library Injection, Scheduled Transfer, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery

References

  1. Recorded Future Insikt Group. (2021, February). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved November 21, 2024.
  1. Recorded Future Insikt Group. (2022, April 6). Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group. Retrieved November 21, 2024.