{
	"id": "e0a579db-3f36-4e80-88e0-8b9f37419b97",
	"created_at": "2026-04-06T00:11:56.020788Z",
	"updated_at": "2026-04-10T03:30:34.691021Z",
	"deleted_at": null,
	"sha1_hash": "0c8b5a53aa7557fce53d91d545fb44568b599227",
	"title": "Hunting the hunter: BI.ZONE traces the footsteps of Red Wolf",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 771977,
	"plain_text": "Hunting the hunter: BI.ZONE traces the footsteps of Red Wolf\r\nBy BI.ZONE\r\nPublished: 2023-06-28 · Archived: 2026-04-05 13:24:02 UTC\r\nBI.ZONE Cyber Threat Intelligence team has detected a new campaign by Red Wolf, a hacker group that\r\nspecializes in corporate espionage. Similar to its previous campaigns, the group continues to leverage phishing\r\nemails to gain access to the target organizations. To deliver malware on a compromised system, Red Wolf uses\r\nIMG files containing LNK files. By opening such a file an unsuspecting victim runs an obfuscated DLL file,\r\nwhich in its turn downloads and executes RedCurl.FSABIN on the victim's device. This enables the attackers to\r\nrun commands in the compromised environment and transfer additional tools for post-exploitation.\r\nKey findings\r\nRed Wolf continues to use traditional malware delivery methods, such as phishing emails that contain links\r\nto download malicious files\r\nIn the campaign detected by BI.ZONE, the attackers used IMG files with malicious shortcuts to download\r\nand run RedCurl.FSABIN\r\nThe group’s arsenal includes its own framework as well as a number of conventional tools, such as\r\nLaZagne and AD Explorer. To address its post-exploitation objectives, the group actively uses PowerShell\r\nRed Wolf focuses on corporate espionage and prefers to slowly move forward in the compromised IT\r\ninfrastructure. By not drawing much attention, it can remain invisible for up to six months\r\nCampaign\r\nBI.ZONE Cyber Threat Intelligence team has unearthed a new campaign by the Red Wolf group (aka RedCurl)\r\nthat has been active at least since June 2018 in Russia, Canada, Germany, Norway, Ukraine, and the United\r\nKingdom.\r\nThe detected file (fig. 1) is an optical disk image. Once opened, it mounts onto the compromised system.\r\nFig. 1. Visible content of the disk image\r\nhttps://bi-zone.medium.com/hunting-the-hunter-bi-zone-traces-the-footsteps-of-red-wolf-3677783e164d\r\nPage 1 of 4\n\nThe disk image contains an LNK file and a hidden folder #TEMP (fig. 2). The folder contains several DLL files,\r\nand only one of them has malicious content.\r\nFig. 2. Files in #TEMP\r\nOpening the LNK file triggers the execution of rundll32 with the following parameters:\r\nrundll32.exe #temp\\mKdPDaed.dll,ozCutPromo\r\nThe DLL file opens a web page (fig. 3).\r\nPress enter or click to view image in full size\r\nFig. 3. Web page opened by the DLL file\r\nhttps://bi-zone.medium.com/hunting-the-hunter-bi-zone-traces-the-footsteps-of-red-wolf-3677783e164d\r\nPage 2 of 4\n\nAfter that, RedCurl.FSABIN gets downloaded from https://app-ins-001.amscloudhost[.]com:443/dn01 and\r\nstored at C:\\Users\\[user]\\AppData\\Local\\VirtualStore\\ under the name chrminst_[computer name in\r\nbase64].exe . The strings in the file are encrypted with AES-128 CBC. The first part of the password for the key\r\ncan be found directly in the malware sample, while the second one can be retrieved from the command line, for\r\ninstance:\r\nGet BI.ZONE’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nC:\\Users\\[redacted]\\AppData\\Local\\VirtualStore\\chrminst_[redacted].exe DOFBBdXC5DmPC\r\nTo achieve persistence in the compromised system, a task named ChromeDefaultBrowser_Agent_[computer name\r\nin base64] is created in the Windows Task Scheduler.\r\nThe backdoor uses Windows API to gather information on the number of processors, memory size, storage\r\ncapacity, as well as information on the amount of time that passed since the launch of the operating system before\r\nthe malware sample being launched. This checkup is needed to identify a virtual environment and bypass\r\nrespective security and analysis tools. Once the checkup is completed, the backdoor sends information about the\r\ncompromised system to the command-and-control server. This information includes the username, the computer\r\nname, the domain name, a list of files and folders in Program Files, Desktop, and AppData\\Local, and the unique\r\nidentifier. After that, the backdoor downloads the DLL and executes its exported function (in this case, yDNvu ).\r\nConclusions\r\nDespite the widely known attack techniques, Red Wolf still manages to bypass traditional defenses and minimize\r\nthe likelihood of detection. By not drawing much attention, the group is able to remain unnoticed in the\r\ncompromised infrastructure for a long time and achieve its goals.\r\nHow to detect the traces of Red Wolf\r\n1. Monitor the creation and mounting of small disk image files\r\n2. Pay attention to the DLL files run by rundll32 from #TEMP\r\n3. Track suspicious files run by the Windows Task Scheduler from C:\\Users\\[user]\\AppData\\Local\r\n4. Look for traces of network communications with subdomains *.amscloudhost[.]com\r\n5. Prioritize the detection of tactics, techniques, and procedures specific to Red Wolf\r\nMITRE ATT\u0026CK\r\nPress enter or click to view image in full size\r\nhttps://bi-zone.medium.com/hunting-the-hunter-bi-zone-traces-the-footsteps-of-red-wolf-3677783e164d\r\nPage 3 of 4\n\nIndicators of compromise\r\ne7b881cd106aefa6100d0e5f361e46e557e8f2372bd36cefe863607d19471a04\r\n3bd054a5095806cd7e8392b749efa283735616ae8a0e707cdcc25654059bfe6b\r\n4188c953d784049dbd5be209e655d6d73f37435d9def71fd1edb4ed74a2f9e17\r\napp-ins-001.amscloudhost[.]com\r\nm-dn-001.amscloudhost[.]com\r\nm-dn-002.amscloudhost[.]com\r\nDetailed information about Red Wolf, its tactics, techniques, and procedures, as well as more indicators of\r\ncompromise are available with BI.ZONE ThreatVision.\r\nSource: https://bi-zone.medium.com/hunting-the-hunter-bi-zone-traces-the-footsteps-of-red-wolf-3677783e164d\r\nhttps://bi-zone.medium.com/hunting-the-hunter-bi-zone-traces-the-footsteps-of-red-wolf-3677783e164d\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://bi-zone.medium.com/hunting-the-hunter-bi-zone-traces-the-footsteps-of-red-wolf-3677783e164d"
	],
	"report_names": [
		"hunting-the-hunter-bi-zone-traces-the-footsteps-of-red-wolf-3677783e164d"
	],
	"threat_actors": [
		{
			"id": "6ec2cd63-307d-4281-86da-5dc199e932af",
			"created_at": "2025-08-07T02:03:24.821494Z",
			"updated_at": "2026-04-10T02:00:03.843522Z",
			"deleted_at": null,
			"main_name": "GOLD BLADE",
			"aliases": [
				"Earth Kapre ",
				"Red Wolf ",
				"RedCurl "
			],
			"source_name": "Secureworks:GOLD BLADE",
			"tools": [
				"RedLoader"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "f72f2981-0dc4-4d96-857c-a725a143a538",
			"created_at": "2024-03-21T02:00:04.724563Z",
			"updated_at": "2026-04-10T02:00:03.602417Z",
			"deleted_at": null,
			"main_name": "Earth Kapre",
			"aliases": [
				"RedCurl",
				"Red Wolf",
				"GOLD BLADE"
			],
			"source_name": "MISPGALAXY:Earth Kapre",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "79e95381-8008-48dc-b981-fd66e1c46ca6",
			"created_at": "2022-10-25T16:07:24.110478Z",
			"updated_at": "2026-04-10T02:00:04.869039Z",
			"deleted_at": null,
			"main_name": "RedCurl",
			"aliases": [
				"Earth Kapre",
				"Red Wolf"
			],
			"source_name": "ETDA:RedCurl",
			"tools": [
				"Impacket",
				"LaZagne"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8108d548-e30f-4b90-aa60-71323ba66678",
			"created_at": "2024-11-01T02:00:52.667098Z",
			"updated_at": "2026-04-10T02:00:05.343786Z",
			"deleted_at": null,
			"main_name": "RedCurl",
			"aliases": [
				"RedCurl"
			],
			"source_name": "MITRE:RedCurl",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434316,
	"ts_updated_at": 1775791834,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0c8b5a53aa7557fce53d91d545fb44568b599227.pdf",
		"text": "https://archive.orkl.eu/0c8b5a53aa7557fce53d91d545fb44568b599227.txt",
		"img": "https://archive.orkl.eu/0c8b5a53aa7557fce53d91d545fb44568b599227.jpg"
	}
}