Threat Actor Profile
High APT
Description

RedEcho is a People’s Republic of China-related threat actor associated with long-running intrusions in Indian critical infrastructure entities. RedEcho overlaps with various other PRC-linked threat groups, such as APT41, and is linked to ShadowPad malware use through shared infrastructure.(Citation: RecordedFuture RedEcho 2021)(Citation: RecordedFuture RedEcho 2022)

Confidence Score
90%
Known Aliases
RedEcho
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (5)
T1071.001 - Web Protocols
Command and Control
T1568 - Dynamic Resolution
Command and Control
T1571 - Non-Standard Port
Command and Control
T1573.002 - Asymmetric Cryptography
Command and Control
T1583.001 - Domains
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['RedEcho'],
 'created': '2024-11-21T22:34:30.327Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[RedEcho](https://attack.mitre.org/groups/G1042) is a '
                'People’s Republic of China-related threat actor associated '
                'with long-running intrusions in Indian critical '
                'infrastructure entities. '
                '[RedEcho](https://attack.mitre.org/groups/G1042) overlaps '
                'with various other PRC-linked threat groups, such as '
                '[APT41](https://attack.mitre.org/groups/G0096), and is linked '
                'to [ShadowPad](https://attack.mitre.org/software/S0596) '
                'malware use through shared infrastructure.(Citation: '
                'RecordedFuture RedEcho 2021)(Citation: RecordedFuture RedEcho '
                '2022)',
 'external_references': [{'external_id': 'G1042',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1042'},
                         {'description': 'Recorded Future Insikt Group. (2021, '
                                         'February). China-Linked Group '
                                         'RedEcho Targets the Indian Power '
                                         'Sector Amid Heightened Border '
                                         'Tensions. Retrieved November 21, '
                                         '2024.',
                          'source_name': 'RecordedFuture RedEcho 2021',
                          'url': 'https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf'},
                         {'description': 'Recorded Future Insikt Group. (2022, '
                                         'April 6). Continued Targeting of '
                                         'Indian Power Grid Assets by Chinese '
                                         'State-Sponsored Activity Group. '
                                         'Retrieved November 21, 2024.',
                          'source_name': 'RecordedFuture RedEcho 2022',
                          'url': 'https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf'}],
 'id': 'intrusion-set--2c40f629-6cf9-4f75-af32-9a98caec24ae',
 'modified': '2025-03-13T20:54:46.475Z',
 'name': 'RedEcho',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (5)
Web Protocols
Command and Control
Dynamic Resolution
Command and Control
Non-Standard Port
Command and Control
Asymmetric Cryptography
Command and Control
Domains
Resource Development
Back to Threat Actors
Dashboard Home