RedEcho Infrastructure

Mar 30, 2021


In Februrary, Record Futur publishes an article about a campaign against the Indian Power Sector Amid Heightened Border Tensions by RedEcho

After my investigation with the RiskIQ passive DNS, I found many IOCs interesting.

The domain is the most interesting. This domains has been resolved on two IPs : and

And this IPs have two certificates SSL linked 2d2d79c478e92a7de25e661ff1a68de0833b9d9b and 0a71519f5549b21510410cdf4a85701489676ddb.

With theses certificates, we can found many IPs published in the article of Record Future.

And a new IP published yesterday:

RedEcho group parks domains after public exposure | The Record by Recorded Future

So these two certificates are more important to have a good view of the Infrastruscture of RedEcho. But, these certificates are linked to ShadowPad Infrastructure which used by others APT chineses groups.

Overview of the infrastructure




Malwarist,Threat Huntist and pythonist / core dev of #yeti/ member of @ProjectHoneynet / co-organizer #BotConf / researcher