RedCurl: Espionage Evolving, Ransomware Emerging
- Suspected Origin
- Russia
- Motivation
- Espionage, Financial Gain
- Aliases
- None documented
- Target Sectors
- Construction, Finance, Consulting, Retail, Banking, Insurance, Law Firms, Travel Agencies, Legal Services, Wholesale Retailers
- Associated Malware
- QWCrypt, RedCurl.SimpleDownloader, RedCurl.Downloader, RedCurl.Extractor, RedCurl.FSABIN, LaZagne, RPivot, Chisel
Overview
RedCurl, also tracked as Earth Kapre or Red Wolf, is a sophisticated threat actor (MITRE ATT&CK ID G1039) that has been active since at least 2018. This group is widely believed to be Russian-speaking and has historically focused on corporate espionage, targeting a broad spectrum of industries and geographies to steal confidential documents, trade secrets, and employee personal data. Over the years, RedCurl has targeted organizations in Ukraine, Canada, the United Kingdom, Germany, Norway, Russia, the United States, Spain, Mexico, Slovenia, and Australia. Their typical targets include travel agencies, insurance companies, banks, construction firms, financial services, consulting agencies, retail businesses, and law firms.
Initially, RedCurl’s primary motivation appeared to be pure corporate espionage, with no historical evidence of data monetization through public leaks or extortion. However, recent activity in 2025 indicates a significant evolution in their tactics, with the deployment of a new ransomware strain named QWCrypt. This shift introduces a potential financial motivation, though some researchers still question the ultimate goals behind these ransomware attacks, suggesting they might be a diversion or a means to monetize access if espionage contracts don’t pay out. RedCurl typically maintains a low profile, relying heavily on “Living-off-the-Land” (LOTL) techniques to remain undetected for extended periods within compromised networks.
Tactics & Techniques
RedCurl’s operations typically begin with highly crafted spear-phishing campaigns. These emails often contain malicious attachments, such as IMG files disguised as CV documents, ISOs, or RAR archives containing SVG files. When opened, these files exploit various techniques, including DLL sideloading with legitimate executables like ADNotificationManager.exe or abusing the Program Compatibility Assistant (pcalua.exe) to execute malicious code. This initial access vector establishes a foothold, often by creating a scheduled task for persistence.
Once inside, RedCurl prioritizes defense evasion by extensively leveraging LOTL techniques. They use legitimate Windows tools like PowerShell, Windows Management Instrumentation (WMI), wmic.exe, certutil.exe, tasklist.exe, and rundll32.exe to execute commands, move laterally, and gather intelligence, minimizing their reliance on custom or external tools. Obfuscation is also a key tactic, involving string encryption, Base64 encoding for PowerShell commands, using PyArmor to obfuscate Python scripts, renaming malicious files to mimic legitimate tools, and dynamically executing commands via echo into temporary batch files that are later deleted to cover their tracks.
For credential access, RedCurl has been observed using tools like LaZagne to extract passwords from web browsers, files, memory, and the Windows Registry. Discovery efforts involve commands such as net localgroup, systeminfo, wmic logicaldisk, and netstat, as well as deploying SysInternals Active Directory Explorer (AD Explorer) to map network environments. Lateral movement is facilitated through WMI, built-in Windows tools, modified wmiexec to bypass SMB connections, LNK files placed on network drives, and tools like Chisel for TCP/UDP tunneling.
Data collection involves searching for and collecting files on local and network drives, which are then often archived with 7-Zip, sometimes password-protected, before exfiltration. Exfiltration frequently utilizes cloud storage services like Mega, Tab Digital, or other legitimate cloud platforms (e.g., Cloudme, koofr.net), often employing utilities like megatools or PowerShell PUT requests. The recent shift to ransomware deployment involves QWCrypt, a new and distinct ransomware strain. Notably, these ransomware attacks are highly targeted, often focusing solely on hypervisors to encrypt virtual machines and disable virtualized infrastructure, while carefully avoiding encryption of network gateways to maintain discreet communication channels with victims.
Notable Campaigns
RedCurl has maintained a consistent operational tempo since its emergence in 2018. Group-IB’s initial reporting in 2020 detailed 26 targeted attacks against 14 private companies globally, highlighting their focus on stealing commercial secrets and sensitive employee data. These early campaigns established their signature use of spear-phishing and extensive LOTL tactics.
Throughout 2023 and 2024, RedCurl continued its espionage activities with phishing campaigns targeting diverse industries across North America, Europe, and CIS countries. Trend Micro and Huntress reports in early 2024 and 2025, respectively, documented ongoing activity, including the use of malicious IMG files and the abuse of pcalua.exe in scheduled tasks for persistence and execution. Huntress specifically identified RedCurl activity in Canada dating back to November 2023, observing the use of RPivot for tunneling and 7zip for archiving.
A significant evolution was observed in early 2025, with Bitdefender Labs reporting the first documented ransomware campaign attributed to RedCurl. This campaign involved the deployment of QWCrypt ransomware, which specifically targeted hypervisors rather than widespread endpoint encryption, indicating a calculated approach to inflict maximum damage while potentially seeking discreet negotiations. Around the same time, eSentire also reported on RedCurl (EarthKapre) leveraging legitimate Adobe executables for DLL sideloading in attacks targeting the legal sector, further demonstrating their adaptability.
Associated Malware & Tools
RedCurl is known for a mix of custom-developed malware and the adept abuse of legitimate system utilities and third-party tools. Their custom arsenal includes:
- RedCurl.SimpleDownloader: An initial stage downloader used to fetch subsequent malware components and display decoy sites.
- RedCurl.Downloader: Responsible for conducting system checks, gathering system information, and transmitting it to C2 servers.
- RedCurl.Extractor and RedCurl.FSABIN: Modules identified in earlier reports, with FSABIN providing remote control capabilities, command execution, and C2 communication. Recent activity suggests FSABIN may now operate without an explicit extraction stage.
- QWCrypt: Their newly identified ransomware strain, specifically designed to encrypt virtual machines on hypervisors.
Beyond their custom creations, RedCurl heavily relies on legitimate tools for their operations, including:
- Windows Command Prompt, PowerShell, WMI: Used for command execution, task automation, and system interaction.
wmic.exe,certutil.exe,tasklist.exe,rundll32.exe: Standard Windows utilities leveraged for various malicious purposes, including remote command execution and DLL loading.pcalua.exe(Program Compatibility Assistant): Abused to obfuscate binary execution and remote connections.- 7-Zip: Utilized for archiving and compressing collected data, often with password protection, before exfiltration.
curl.exe: Used to download subsequent stage downloaders.- SysInternals Active Directory Explorer (AD Explorer): Employed for reconnaissance and data collection.
netstat,net localgroup,systeminfo: Standard commands for network and system information discovery.
Third-party tools frequently observed in RedCurl campaigns include:
- LaZagne: A known open-source tool for password recovery, used by RedCurl to harvest credentials from various sources.
- RPivot (client.py): A Python script used to create tunnels and establish proxy connections for C2.
- Chisel: A TCP/UDP tunneling tool that aids in sophisticated network navigation.
megatools: Utilities used to interact with Mega, a cloud storage service, for data exfiltration.
Current Status
RedCurl remains a highly active and evolving threat actor. Reports from 2024, 2025, and into 2026 consistently highlight their ongoing campaigns and adaptive tactics. The introduction of QWCrypt ransomware in early 2025 marks a significant pivot, expanding their operational capabilities beyond traditional corporate espionage. While their primary motivation for this ransomware deployment is still subject to debate among researchers, it undeniably adds a new, potentially financially lucrative, dimension to their activities.
Despite this shift, RedCurl continues to employ its established techniques, including sophisticated spear-phishing, extensive reliance on LOTL for stealth, and the abuse of legitimate tools to avoid detection. Their targeting remains broad geographically and across sectors, indicating a persistent interest in sensitive corporate data. Security professionals should consider RedCurl a persistent and adaptable adversary, requiring continuous monitoring and robust detection strategies to counter their evolving TTPs.
Related content
Threat Profile: Leafminer (G0077) – Iranian Espionage Group
Adversary ProfileInception (G0100): A Persistent and Stealthy Cyber Espionage Threat
Adversary ProfileEvilnum (G0120): Persistent Financial Threat and Evolving Espionage Actor
Adversary ProfileAkira Ransomware: A Persistent and Evolving Global Threat
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call