Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ RedEcho

🌐RedEcho

🌐 RedEcho is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 5 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1042) ↗
14Use cases
0Articles
5Techniques
0IOCs

About this actor (MITRE)

[RedEcho](https://attack.mitre.org/groups/G1042) is a People’s Republic of China-related threat actor associated with long-running intrusions in Indian critical infrastructure entities. [RedEcho](https://attack.mitre.org/groups/G1042) overlaps with various other PRC-linked threat groups, such as [APT41](https://attack.mitre.org/groups/G0096), and is linked to [ShadowPad](https://attack.mitre.org/software/S0596) malware use through shared infrastructure.(Citation: RecordedFuture RedEcho 2021)(Citation: RecordedFuture RedEcho 2022)

Known aliases

RedEcho

Top techniques

T1071.001 · Web ProtocolsT1568 · Dynamic ResolutionT1571 · Non-Standard Port

All other tracked techniques

T1573.002 · Asymmetric CryptographyT1583.001 · Domains

Detection use cases (14)

RedEcho/ShadowPad C2 beaconing to dynamic-DNS infrastructure on non-standard ports AI · profile S RedEcho/ShadowPad signed-binary DLL side-loading from non-standard paths AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Beaconing — periodic outbound to small set of destinations MITRE match Click on URL whose host doesn't match the sender domain MITRE match Cisco NVM - Outbound Connection to Suspicious Port MITRE match Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint MITRE match Cisco Secure Firewall - Communication Over Suspicious Ports MITRE match Cisco Secure Firewall - File Download Over Uncommon Port MITRE match Cisco Secure Firewall - High EVE Threat Confidence MITRE match