{
	"id": "e783208b-d4a1-4c23-a1c2-0c3e2e048d03",
	"created_at": "2026-04-06T00:15:21.927936Z",
	"updated_at": "2026-04-10T03:31:23.927346Z",
	"deleted_at": null,
	"sha1_hash": "26a7cea68433d0650b86ea81567bcd344dc7259b",
	"title": "Rewterz Threat Alert - Power Supplier’s Network Infiltrated for 6 Months by “Redfly” Hackers – Active IOCs - Rewterz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 175826,
	"plain_text": "Rewterz Threat Alert - Power Supplier’s Network Infiltrated for 6\r\nMonths by “Redfly” Hackers – Active IOCs - Rewterz\r\nPublished: 2023-10-13 · Archived: 2026-04-05 13:43:20 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nA stealthy APT group called “Redfly” hacked a national electricity grid organization in Asia and maintained\r\npersistent access to the network for about six months. Researchers discovered evidence for this attack between 28\r\nFebruary and 3 August 2023 after noticing suspicious malware activity within the organization’s network.\r\nThe trojan they found is ShadowPad, which is widely used by various APT groups. They also discovered traces of\r\nspecialized file launchers and keyloggers. Researchers have noticed that Redfly focuses mainly on critical national\r\ninfrastructure.\r\nThe variant of ShadowPad used in these attacks disguises its components as VMware files and drops them on the\r\ncompromised system. It is also able to achieve persistence by creating services named after VMware, so it can\r\nlaunch malicious executable files and DLL when the system boots.\r\nShadowPad is known to be a versatile RAT capable of various features like keylogging, data exfiltration, file\r\nsearching, and remote command execution. It is difficult to track because a lot of different APTs use it.\r\nRedfly used a different keylogging tool to capture keystrokes in the form of log files, which are then retrieved by\r\nthe malicious users manually. They also made use of a tool called Packerloader, which loads and executes\r\nshellcode inside the AES encrypted files and can avoid detection from antivirus software.\r\nThe hackers used this tool to execute code in order to modify a driver file’s permissions and creating credential\r\ndumps in the Windows registry to be able to revive it in the future. They also rely on PowerShell to execute\r\ncommands, helpful for gathering details about the compromised system.\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-power-suppliers-network-infiltrated-for-6-months-by-redfly-hackers-active-iocs/\r\nPage 1 of 3\n\nThe threat actors utilized DLL side-loading and other legitimate executables, stolen credentials, and executing\r\nlegitimate binaries for lateral movement. It’s common for espionage groups to have a long dwelling period within\r\nthe compromised networks in order to harvest as much intelligence as they can.\r\n“Attacks against CNI targets are not unprecedented. Almost a decade ago, Symantec uncovered the Russian-sponsored Dragonfly group’s attacks against the energy sector in the U.S. and Europe,” the researchers concluded\r\nin the report.\r\nThe exact intent of the attackers to disrupt the power supply is not known, but it still poses a significant threat.\r\nThis level of disruption could have caused a big damage to the energy provider’s reputation and also economic\r\nloss for the whole nation.\r\nImpact\r\nCyber Espionage\r\nInformation Theft\r\nIndicators of Compromise\r\nDomain Name\r\nwebsencl.com\r\nMD5\r\ne1024b0a0c84c798790dba7a68debb88\r\ndb1922cccbf560c6c503dfbac8630033\r\n27f636a36207581e75c700c0e36a8031\r\na0e9d1463086fed950b51508b826bd5b\r\nSHA-256\r\n656582bf82205ac3e10b46cbbcf8abb56dd67092459093f35ce8daa64f379a2c\r\nac6938e03f2a076152ee4ce23a39a0bfcd676e4f0b031574d442b6e2df532646\r\n231d21ceefd5c70aa952e8a21523dfe6b5aae9ae6e2b71a0cdbe4e5430b4f5b3\r\nd9438cd2cdc83e8efad7b0c9a825466efea709335b63d6181dfdc57fb1f4a4e3\r\nSHA-1\r\n1059ea2d1a62c2e39affd6481578e575755acb09\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-power-suppliers-network-infiltrated-for-6-months-by-redfly-hackers-active-iocs/\r\nPage 2 of 3\n\n4bba897ee81240b10f9cca41ec010a26586e8c09\r\ne5091779e52536657eb321a1ccb7cfd0e67bd897\r\nb9871ce86c29aac05b119c4514cd87ce90956f7b\r\nRemediation\r\nBlock all threat indicators at your respective controls.\r\nSearch for Indicators of compromise (IOCs) in your environment utilizing your respective security controls\r\nDo not download documents attached in emails from unknown sources and strictly refrain from enabling\r\nmacros when the source isn’t reliable.\r\nEnable antivirus and anti-malware software and update signature definitions in a timely manner. Using\r\nmulti-layered protection is necessary to secure vulnerable assets\r\nAlong with network and system hardening, code hardening should be implemented within the organization\r\nso that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed\r\ncodes.\r\nMaintain daily backups of all computer networks and servers.\r\nKeep all software, operating systems, and applications up to date with the latest security patches.\r\nContinuously monitor network and system logs for unusual or suspicious activities.\r\nDeploy security information and event management (SIEM) solutions to centralize log analysis.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-power-suppliers-network-infiltrated-for-6-months-by-redfly-hackers-active\r\n-iocs/\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-power-suppliers-network-infiltrated-for-6-months-by-redfly-hackers-active-iocs/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-power-suppliers-network-infiltrated-for-6-months-by-redfly-hackers-active-iocs/"
	],
	"report_names": [
		"rewterz-threat-alert-power-suppliers-network-infiltrated-for-6-months-by-redfly-hackers-active-iocs"
	],
	"threat_actors": [
		{
			"id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7",
			"created_at": "2023-06-23T02:04:34.793629Z",
			"updated_at": "2026-04-10T02:00:04.971054Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Bronze Silhouette",
				"Dev-0391",
				"Insidious Taurus",
				"Redfly",
				"Storm-0391",
				"UAT-5918",
				"UAT-7237",
				"UNC3236",
				"VOLTZITE",
				"Vanguard Panda"
			],
			"source_name": "ETDA:Volt Typhoon",
			"tools": [
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"Living off the Land"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3ec9542a-2245-466b-86e3-cd345819b09b",
			"created_at": "2023-11-04T02:00:07.67045Z",
			"updated_at": "2026-04-10T02:00:03.388063Z",
			"deleted_at": null,
			"main_name": "Redfly",
			"aliases": [],
			"source_name": "MISPGALAXY:Redfly",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "649b5b3e-b16e-44db-91bc-ae80b825050e",
			"created_at": "2022-10-25T15:50:23.290412Z",
			"updated_at": "2026-04-10T02:00:05.257022Z",
			"deleted_at": null,
			"main_name": "Dragonfly",
			"aliases": [
				"TEMP.Isotope",
				"DYMALLOY",
				"Berserk Bear",
				"TG-4192",
				"Crouching Yeti",
				"IRON LIBERTY",
				"Energetic Bear",
				"Ghost Blizzard"
			],
			"source_name": "MITRE:Dragonfly",
			"tools": [
				"MCMD",
				"Impacket",
				"CrackMapExec",
				"Backdoor.Oldrea",
				"Mimikatz",
				"PsExec",
				"Trojan.Karagany",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1a76ed30-4daf-4817-98ae-87c667364464",
			"created_at": "2022-10-25T16:47:55.891029Z",
			"updated_at": "2026-04-10T02:00:03.646466Z",
			"deleted_at": null,
			"main_name": "IRON LIBERTY",
			"aliases": [
				"ALLANITE ",
				"ATK6 ",
				"BROMINE ",
				"CASTLE ",
				"Crouching Yeti ",
				"DYMALLOY ",
				"Dragonfly ",
				"Energetic Bear / Berserk Bear ",
				"Ghost Blizzard ",
				"TEMP.Isotope ",
				"TG-4192 "
			],
			"source_name": "Secureworks:IRON LIBERTY",
			"tools": [
				"ClientX",
				"Ddex Loader",
				"Havex",
				"Karagany",
				"Loek",
				"MCMD",
				"Sysmain",
				"xfrost"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434521,
	"ts_updated_at": 1775791883,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/26a7cea68433d0650b86ea81567bcd344dc7259b.pdf",
		"text": "https://archive.orkl.eu/26a7cea68433d0650b86ea81567bcd344dc7259b.txt",
		"img": "https://archive.orkl.eu/26a7cea68433d0650b86ea81567bcd344dc7259b.jpg"
	}
}