Red Echo

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Red Echo, also known as Redfly, is a subgroup within the larger threat actor group Winnti. This group has been identified as responsible for a series of cyber-attacks with malicious intent, targeting various entities globally. In a recent campaign, Red Echo managed to infiltrate and occupy the network of an Asian national electricity provider for six months. During this period, they deployed a Trojan called "ShadowPad" to harvest credentials and gain access to privileged information. This sophisticated attack demonstrated their ability to maintain persistent access within a critical infrastructure network. Researchers from Symantec have tracked multiple subgroups within Winnti, including Blackfly, Greyfly, and in this case, Redfly or Red Echo. These groups are known for their relentless pursuit of intellectual property and sensitive data, often targeting specific sectors. The identification of these subgroups helps cybersecurity professionals better understand the threat landscape and develop more effective defenses against these advanced persistent threats. In another significant incident, Red Echo inserted malicious code into a download link on the webpage for Myanmar's president. This action further underscores the group's capabilities and willingness to target high-profile individuals and institutions. The insertion of malicious code into legitimate websites is a common tactic used by such groups to compromise systems and steal valuable information. These incidents highlight the ongoing threat posed by Red Echo and similar groups, emphasizing the need for robust cybersecurity measures across all sectors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Winnti
1
Winnti, a threat actor or group also known as Starchy Taurus and APT41, has been active since at least 2007, first identified by Kaspersky in 2013. This Chinese state-sponsored entity is renowned for its ability to target supply chains of legitimate software to disseminate malware. The group is link
Redfly
1
RedFly, a threat actor group known for its malicious activities, has emerged as a significant cybersecurity concern. The group's operations are characterized by their strategic execution and targeted focus, often resulting in substantial security breaches. Threat actors like RedFly pose a significan
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ShadowPadUnspecified
1
ShadowPad is a modular backdoor malware that has been utilized by several Chinese threat groups since at least 2017. Notably, it was used as the payload in supply chain attacks targeting South Asian governments, as reported in the VB2023 paper. ShadowPad provides near-administrative capabilities in
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BlackflyUnspecified
1
Blackfly is a threat actor, tracked by Symantec, that has been involved in cyber-attacks primarily targeting South Korean companies, especially those in the video game and software development industry. The group initiated its activities with a campaign to steal certificates, which were later utiliz
GreyflyUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Red Echo Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Myanmar's presidential website
CERT-EU
9 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Myanmar's presidential website
DARKReading
10 months ago
China's Winnti APT Compromises National Grid in Asia for 6 Months