G1042 RedEcho
RedEcho is a People’s Republic of China-related threat actor associated with long-running intrusions in Indian critical infrastructure entities. RedEcho overlaps with various other PRC-linked threat groups, such as APT41, and is linked to ShadowPad malware use through shared infrastructure.12
| Item | Value |
|---|---|
| ID | G1042 |
| Associated Names | |
| Version | 1.0 |
| Created | 21 November 2024 |
| Last Modified | 13 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | RedEcho has registered domains spoofing Indian critical infrastructure entities.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | RedEcho network activity is associated with SSL traffic via TCP 443 and proxied HTTP traffic over non-standard ports.1 |
| enterprise | T1568 | Dynamic Resolution | RedEcho used dynamic DNS domains associated with malicious infrastructure.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | RedEcho uses SSL for network communication.1 |
| enterprise | T1571 | Non-Standard Port | RedEcho has used non-standard ports such as TCP 8080 for HTTP communication.1 |
Software
References
-
Recorded Future Insikt Group. (2021, February). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved November 21, 2024. ↩↩↩↩↩↩↩
-
Recorded Future Insikt Group. (2022, April 6). Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group. Retrieved November 21, 2024. ↩↩