{ "id": "98b351fb-4b7f-48fc-8807-9e2651bf69eb", "created_at": "2026-04-06T15:52:44.458502Z", "updated_at": "2026-04-10T03:32:22.353546Z", "deleted_at": null, "sha1_hash": "0c8467dc889d142b745f1ea215b6a713bfb6c887", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50159, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 15:38:37 UTC\r\n APT group: RedEcho\r\nNames RedEcho (Recorded Future)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2020\r\nDescription\r\n(Recorded Future) Since early 2020, Recorded Future’s Insikt Group observed a large increase\r\nin suspected targeted intrusion activity against Indian organizations from Chinese state-sponsored groups. From mid-2020 onwards, Recorded Future’s midpoint collection revealed a\r\nsteep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which\r\nencompasses ShadowPad command and control (C2) servers, to target a large swathe of\r\nIndia’s power sector. 10 distinct Indian power sector organizations, including 4 of the 5\r\nRegional Load Despatch Centres (RLDC) responsible for operation of the power grid through\r\nbalancing electricity supply and demand, have been identified as targets in a concerted\r\ncampaign against India’s critical infrastructure. Other targets identified included 2 Indian\r\nseaports.\r\nUsing a combination of proactive adversary infrastructure detections, domain analysis, and\r\nRecorded Future Network Traffic Analysis, we have determined that a subset of these\r\nAXIOMATICASYMPTOTE servers share some common infrastructure tactics, techniques,\r\nand procedures (TTPs) with several previously reported Chinese state-sponsored groups,\r\nincluding APT 41 and Tonto Team, HartBeat, Karma Panda.\r\nDespite some overlaps with previous groups, Insikt Group does not currently believe there is\r\nenough evidence to firmly attribute the activity in this particular campaign to an existing\r\npublic group and therefore continue to track it as a closely related but distinct activity group,\r\nRedEcho.\r\nAlso see TAG-38.\r\nObserved\r\nSectors: Energy, Maritime and Shipbuilding.\r\nCountries: India.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=660f5bfa-d726-4935-a2be-7efa6ed8a366\r\nPage 1 of 2\n\nTools used ShadowPad Winnti.\nInformation\nLast change to this card: 08 April 2022\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=660f5bfa-d726-4935-a2be-7efa6ed8a366\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=660f5bfa-d726-4935-a2be-7efa6ed8a366\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=660f5bfa-d726-4935-a2be-7efa6ed8a366" ], "report_names": [ "showcard.cgi?u=660f5bfa-d726-4935-a2be-7efa6ed8a366" ], "threat_actors": [ { "id": "0fca7692-4a21-482f-a113-9548b49e8531", "created_at": "2022-10-25T16:07:24.117599Z", "updated_at": "2026-04-10T02:00:04.870741Z", "deleted_at": null, "main_name": "RedEcho", "aliases": [], "source_name": "ETDA:RedEcho", "tools": [ "POISONPLUG.SHADOW", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "bc91d469-ec69-497b-81d7-068b84501e63", "created_at": "2023-01-06T13:46:39.192791Z", "updated_at": "2026-04-10T02:00:03.242063Z", "deleted_at": null, "main_name": "RedEcho", "aliases": [], "source_name": "MISPGALAXY:RedEcho", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "1081082f-c780-4f3f-8090-0952b4455230", "created_at": "2022-10-25T16:07:24.297942Z", "updated_at": "2026-04-10T02:00:04.92646Z", "deleted_at": null, "main_name": "TAG-38", "aliases": [], "source_name": "ETDA:TAG-38", "tools": [ "FRP", "Fast Reverse Proxy", "POISONPLUG.SHADOW", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "64af9eaa-e528-42d2-95c6-f55aa0a13df5", "created_at": "2025-04-23T02:00:55.201298Z", "updated_at": "2026-04-10T02:00:05.33852Z", "deleted_at": null, "main_name": "RedEcho", "aliases": [ "RedEcho" ], "source_name": "MITRE:RedEcho", "tools": [ "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775490764, "ts_updated_at": 1775791942, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0c8467dc889d142b745f1ea215b6a713bfb6c887.pdf", "text": "https://archive.orkl.eu/0c8467dc889d142b745f1ea215b6a713bfb6c887.txt", "img": "https://archive.orkl.eu/0c8467dc889d142b745f1ea215b6a713bfb6c887.jpg" } }