{ "id": "f431cd59-222c-49ac-9854-a3fc4b6cb0a1", "created_at": "2026-04-06T00:07:34.505528Z", "updated_at": "2026-04-10T03:32:22.348205Z", "deleted_at": null, "sha1_hash": "7ea0a849f8aa3ab3acfb270e0f9971f12843b3ef", "title": "38 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48694, "plain_text": "38 - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:00:30 UTC\r\n APT group: TAG-38\r\nNames TAG-38 (Recorded Future)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2021\r\nDescription\r\n(Recorded Future) In recent months, we observed likely network intrusions targeting at least 7\r\nIndian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations\r\nfor grid control and electricity dispatch within these respective states. Notably, this targeting\r\nhas been geographically concentrated, with the identified SLDCs located in North India, in\r\nproximity to the disputed India-China border in Ladakh. One of these SLDCs was also\r\ntargeted in previous RedEcho activity. This latest set of intrusions, however, is composed of an\r\nalmost entirely different set of victim organizations. In addition to the targeting of power grid\r\nassets, we also identified the compromise of a national emergency response system and the\r\nIndian subsidiary of a multinational logistics company by the same threat activity group. To\r\nachieve this, the group likely compromised and co-opted internet-facing DVR/IP camera\r\ndevices for command and control (C2) of Shadowpad malware infections, as well as use of the\r\nopen source tool FastReverseProxy (FRP).\r\nDespite a partial troop disengagement between India and China from February 2021, the\r\nprolonged targeting of Indian critical infrastructure continues to raise concerns over pre-positioning activity being conducted by Chinese adversaries. While this latest activity displays\r\ntargeting and capability consistencies with previously identified RedEcho activity, there are\r\nalso some notable distinctions. At this time, we have not identified technical evidence allowing\r\nus to attribute it to RedEcho, and we are currently clustering this latest activity under the\r\ntemporary group name Threat Activity Group 38 (TAG-38).\r\nObserved\r\nSectors: Energy.\r\nCountries: India.\r\nTools used FRP, ShadowPad Winnti.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=578b878a-3b29-48ce-8ed0-d6bb0b28a2b0\r\nPage 1 of 2\n\nInformation\nLast change to this card: 08 April 2022\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=578b878a-3b29-48ce-8ed0-d6bb0b28a2b0\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=578b878a-3b29-48ce-8ed0-d6bb0b28a2b0\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=578b878a-3b29-48ce-8ed0-d6bb0b28a2b0" ], "report_names": [ "showcard.cgi?u=578b878a-3b29-48ce-8ed0-d6bb0b28a2b0" ], "threat_actors": [ { "id": "0fca7692-4a21-482f-a113-9548b49e8531", "created_at": "2022-10-25T16:07:24.117599Z", "updated_at": "2026-04-10T02:00:04.870741Z", "deleted_at": null, "main_name": "RedEcho", "aliases": [], "source_name": "ETDA:RedEcho", "tools": [ "POISONPLUG.SHADOW", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "bc91d469-ec69-497b-81d7-068b84501e63", "created_at": "2023-01-06T13:46:39.192791Z", "updated_at": "2026-04-10T02:00:03.242063Z", "deleted_at": null, "main_name": "RedEcho", "aliases": [], "source_name": "MISPGALAXY:RedEcho", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1081082f-c780-4f3f-8090-0952b4455230", "created_at": "2022-10-25T16:07:24.297942Z", "updated_at": "2026-04-10T02:00:04.92646Z", "deleted_at": null, "main_name": "TAG-38", "aliases": [], "source_name": "ETDA:TAG-38", "tools": [ "FRP", "Fast Reverse Proxy", "POISONPLUG.SHADOW", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "64af9eaa-e528-42d2-95c6-f55aa0a13df5", "created_at": "2025-04-23T02:00:55.201298Z", "updated_at": "2026-04-10T02:00:05.33852Z", "deleted_at": null, "main_name": "RedEcho", "aliases": [ "RedEcho" ], "source_name": "MITRE:RedEcho", "tools": [ "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434054, "ts_updated_at": 1775791942, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7ea0a849f8aa3ab3acfb270e0f9971f12843b3ef.pdf", "text": "https://archive.orkl.eu/7ea0a849f8aa3ab3acfb270e0f9971f12843b3ef.txt", "img": "https://archive.orkl.eu/7ea0a849f8aa3ab3acfb270e0f9971f12843b3ef.jpg" } }