In Februrary, Record Futur publishes an article about a campaign against the Indian Power Sector Amid Heightened Border Tensions by RedEcho
https://www.recordedfuture.com/redecho-targeting-indian-power-sector/
After my investigation with the RiskIQ passive DNS, I found many IOCs interesting.
The domain ntpc-co.com is the most interesting. This domains has been resolved on two IPs : 27.255.94.29 and 210.92.18.132.
And this IPs have two certificates SSL linked 2d2d79c478e92a7de25e661ff1a68de0833b9d9b and 0a71519f5549b21510410cdf4a85701489676ddb.
With theses certificates, we can found many IPs published in the article of Record Future.
223.255.155.243
210.121.164.72
223.255.155.238
180.150.226.216
223.255.155.252
And a new IP published yesterday: 210.92.18.132
RedEcho group parks domains after public exposure | The Record by Recorded Future
So these two certificates are more important to have a good view of the Infrastruscture of RedEcho. But, these certificates are linked to ShadowPad Infrastructure which used by others APT chineses groups.