In Februrary, Record Futur publishes an article about a campaign against the Indian Power Sector Amid Heightened Border Tensions by RedEcho
After my investigation with the RiskIQ passive DNS, I found many IOCs interesting.
The domain ntpc-co.com is the most interesting. This domains has been resolved on two IPs : 220.127.116.11 and 18.104.22.168.
And this IPs have two certificates SSL linked 2d2d79c478e92a7de25e661ff1a68de0833b9d9b and 0a71519f5549b21510410cdf4a85701489676ddb.
With theses certificates, we can found many IPs published in the article of Record Future.
And a new IP published yesterday: 22.214.171.124
RedEcho group parks domains after public exposure | The Record by Recorded Future
So these two certificates are more important to have a good view of the Infrastruscture of RedEcho. But, these certificates are linked to ShadowPad Infrastructure which used by others APT chineses groups.
Overview of the infrastructure