Connect with us

Hi, what are you looking for?



China-Linked ‘Redfly’ Group Targeted Power Grid

Symantec warns that the Redfly APT appears to be focusing exclusively on targeting critical national infrastructure organizations.

Symantec has identified a new advanced persistent threat (APT) actor that appears to be focusing exclusively on targeting critical national infrastructure organizations.

Dubbed Redfly, the threat actor has been observed using the ShadowPad remote access trojan (RAT), a successor of Korplug/PlugX, to maintain presence on a compromised national power grid in Asia for as long as six months.

Discovered earlier this year, the attack is the latest in a series of intrusions targeting critical national infrastructure entities, employing tools and infrastructure that overlap with previous activity attributed to Chinese state-sponsored group APT41 (also tracked as Winnti, Wicked Panda, Blackfly, and Grayfly).

As part of this campaign, Symantec notes, Redfly used a distinct variant of ShadowPad, which relies on the domain websencl[.]com as its command-and-control (C&C) server.

On the infected machines, the trojan masquerades as VMware files and directories, and sets up persistence by registering a service that is launched at Windows startup.

In addition to ShadowPad, Redfly was seen deploying PackerLoader, a tool for loading and executing shellcode, and a keylogger, which was dropped under various names on different machines.

Symantec traced the attack back to February 28, when the APT executed ShadowPad on a single machine. The malware was executed again on May 17, one day after the execution of a suspicious Windows batch file and of PackerLoader.

Advertisement. Scroll to continue reading.

On May 16, the attackers also modified the permissions for a driver that was later used to create dumps of the file system, and dumped credentials from the Windows registry.

Further suspicious activity was observed on May 19 and May 26, including the execution of PackerLoader and of a legitimate application that the attackers installed themselves, to side-load a malicious DLL.

Several days later, a tool was used to dump credentials from LSASS and a scheduled task was used to execute Oleview, for side-loading and lateral movement.

The attackers returned again on July 27, to install a keylogger on the compromised machine, and on August 3, when they attempted to dump credentials using ProcDump.

Responding to a SecurityWeek inquiry on the motives behind this campaign, Symantec principal intelligence analyst Dick O’Brien said that espionage is the most evident.

“There are multiple possible motives. Our best guess would be intelligence gathering related to the targets, energy usage or acquisition and retention of a disruptive capability should it be required in the future,” he said.

Redfly, Symantec says, does not appear to be engaging in disruptive activities, but the cybersecurity company does not eliminate this possibility entirely.

“Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed disrupt power supplies and other vital services in other states during times of increased political tension,” the company notes.

Related: New ‘Carderbee’ APT Targeted Chinese Security Software in Supply Chain Attack

Related: Lancefly APT Targeting Asian Government Organizations for Years

Related: Chinese APT Uses New ‘Stack Rumbling’ Technique to Disable Security Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...