{
	"id": "d196a54e-e90b-4282-a8f9-d0b4082128fd",
	"created_at": "2026-04-06T00:21:25.616115Z",
	"updated_at": "2026-04-10T13:11:51.907577Z",
	"deleted_at": null,
	"sha1_hash": "e64887a1f356882c048e65c4cc1fa999b1ed0b62",
	"title": "RedEcho group parks domains after public exposure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89000,
	"plain_text": "RedEcho group parks domains after public exposure\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-26 · Archived: 2026-04-05 12:47:51 UTC\r\nA Chinese hacking group linked to a campaign that targeted India's power grid and critical infrastructure entities\r\nhas taken down its attack infrastructure after having its operations exposed at the end of February 2021.\r\nKnown as RedEcho, the group is one of many Chinese government-sponsored cyber-espionage entities active\r\ntoday.\r\nThe earliest signs of RedEcho attacks date back to early 2020, but operations gained a significant momentum after\r\na May 2020 border dispute between Indian and Chinese troops that devolved into violence and heightened\r\npolitical tensions between the two neighboring countries.\r\nSubsequent RedEcho attacks shifted to target India's power sector primarily, and the group is believed to have\r\nbreached at least a dozen of Indian power sector organizations, including four of India's five Regional Load\r\nDespatch Centres (RLDCs) and two State Load Despatch Centres (SLDCs), where it deployed backdoor malware\r\nsuch as PlugX and ShadowPad, allowing the group easy access at any further date.\r\nThese attacks came to light in February 2021, when Recorded Future's Insikt Group published a report detailing\r\nRedEcho's Indian operations after analysts managed to find unique characteristics in the communications between\r\nthe malware and its backend infrastructure, allowing them to track attacks by using a combination of proactive\r\ninfrastructure detections, domain, and network traffic analysis.\r\nLast activity spotted on March 11, 2021\r\nBut less than two weeks after Recorded Future published its findings, the Insikt Group told The Record that\r\nRedEcho has now taken down part of its domain infrastructure.\r\nMore specifically, RedEcho has now parked web domains it previously used to control ShadowPad malware\r\ninside the hacked Indian power grid, and which Recorded Future ousted in its report.\r\n\"The most recently identified victim communications with RedEcho infrastructure was from an Indian IP address\r\non March 11, 2021 to the RedEcho IP 210.92.18[.]132,\" the Insikt Group said.\r\nBut this was to be expected. Advanced persistent threat (APT) groups like RedEcho often react to public\r\ndisclosure by moving infrastructure to new servers.\r\n\"This is likely due to a combination of defensive measures taken by targeted organizations to block published\r\nnetwork indicators and the aforementioned steps taken by the group to move away from publicized infrastructure,\"\r\nInsikt Group analyst said.\r\nhttps://therecord.media/redecho-group-parks-domains-after-public-exposure/\r\nPage 1 of 2\n\nFurthermore, cyber-espionage operations are most efficient when undetected. Once operations get exposed,\r\nsecurity firms will often work in the shadows to notify victims and intelligence services in the targeted countries,\r\nand even poison the attacker's collected data.\r\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/redecho-group-parks-domains-after-public-exposure/\r\nhttps://therecord.media/redecho-group-parks-domains-after-public-exposure/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/redecho-group-parks-domains-after-public-exposure/"
	],
	"report_names": [
		"redecho-group-parks-domains-after-public-exposure"
	],
	"threat_actors": [
		{
			"id": "0fca7692-4a21-482f-a113-9548b49e8531",
			"created_at": "2022-10-25T16:07:24.117599Z",
			"updated_at": "2026-04-10T02:00:04.870741Z",
			"deleted_at": null,
			"main_name": "RedEcho",
			"aliases": [],
			"source_name": "ETDA:RedEcho",
			"tools": [
				"POISONPLUG.SHADOW",
				"ShadowPad Winnti",
				"XShellGhost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bc91d469-ec69-497b-81d7-068b84501e63",
			"created_at": "2023-01-06T13:46:39.192791Z",
			"updated_at": "2026-04-10T02:00:03.242063Z",
			"deleted_at": null,
			"main_name": "RedEcho",
			"aliases": [],
			"source_name": "MISPGALAXY:RedEcho",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "64af9eaa-e528-42d2-95c6-f55aa0a13df5",
			"created_at": "2025-04-23T02:00:55.201298Z",
			"updated_at": "2026-04-10T02:00:05.33852Z",
			"deleted_at": null,
			"main_name": "RedEcho",
			"aliases": [
				"RedEcho"
			],
			"source_name": "MITRE:RedEcho",
			"tools": [
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434885,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e64887a1f356882c048e65c4cc1fa999b1ed0b62.pdf",
		"text": "https://archive.orkl.eu/e64887a1f356882c048e65c4cc1fa999b1ed0b62.txt",
		"img": "https://archive.orkl.eu/e64887a1f356882c048e65c4cc1fa999b1ed0b62.jpg"
	}
}