China-Linked ‘Redfly’ Group Targeted Power Grid

Dubbed Redfly, the threat actor has been observed using the ShadowPad remote access trojan (RAT), a successor of Korplug/PlugX, to maintain presence on a compromised national power grid in Asia for as long as six months.

Redfly is an known threat actor and in the latest intrusion series which is targeting critical national infrastructure entities, employing tools and infrastructure that overlap with previous activity attributed to Chinese state-sponsored group APT41 (also tracked as Winnti, Wicked Panda, Blackfly, and Grayfly).

On the infected machines, the trojan masquerades as VMware files and directories, and sets up persistence by registering a service that is launched at Windows startup.

In addition to ShadowPad, Redfly was seen deploying PackerLoader, a tool for loading and executing shellcode, and a keylogger, which was dropped under various names on different machines.

Redfly, Symantec says, does not appear to be engaging in disruptive activities, but the cybersecurity company does not eliminate this possibility entirely.

“Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed disrupt power supplies and other vital services in other states during times of increased political tension,” the company notes.