{
	"id": "f1e04eb1-aa66-44c9-a96f-ef05235729a9",
	"created_at": "2026-04-06T00:22:19.511594Z",
	"updated_at": "2026-04-10T13:11:54.655291Z",
	"deleted_at": null,
	"sha1_hash": "22d73a1e8fa3460884d20c2983bfe814d108e08c",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54838,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 23:33:47 UTC\r\n APT group: RedCurl\r\nNames\r\nRedCurl (Group-IB)\r\nRed Wolf (BI.ZONE)\r\nEarth Kapre (Trend Micro)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2018\r\nDescription\r\n(ZDNet) Security researchers have uncovered a new Russian-speaking hacking\r\ngroup that they claim has been focusing on the past three years on corporate\r\nespionage, targeting companies across the world to steal documents that contain\r\ncommercial secrets and employee personal data.\r\nNamed RedCurl, the activities of this new group have been detailed in a 57-page\r\nreport released today by cyber-security firm Group-IB.\r\nThe company has been tracking the group since the summer of 2019 when it was\r\nfirst called to investigate a security breach at a company hacked by the group.\r\nSince then, Group-IB said it identified 26 other RedCurl attacks, carried out against\r\n14 organizations, going as far back as 2018.\r\nObserved\r\nSectors: Construction, Financial, Retail and travel agencies and law and consulting\r\nfirms.\r\nCountries: Australia, Canada, Germany, Mexico, Norway, Russia, Spain, UK,\r\nUkraine, USA.\r\nTools used Impacket, LaZagne.\r\nOperations performed\r\n2021\r\nRedCurl: The awakening\r\n\u003chttps://www.group-ib.com/resources/threat-research/red-curl-2.html\u003e\r\nNov 2022\r\nRedCurl hackers return to spy on 'major Russian bank,' Australian\r\ncompany\r\n\u003chttps://therecord.media/redcurl-hackers-russian-bank-australian-company\u003e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=318f02e3-9165-43fb-b08b-fbf646f4dcf1\r\nPage 1 of 2\n\n2023\nHunting the hunter: BI.ZONE traces the footsteps of Red Wolf\n2023\nUnveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With\nTrend Micro MDR, Threat Intelligence\nMar 2025\nRedCurl's Ransomware Debut: A Technical Deep Dive\nInformation\nLast change to this card: 21 April 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=318f02e3-9165-43fb-b08b-fbf646f4dcf1\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=318f02e3-9165-43fb-b08b-fbf646f4dcf1\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=318f02e3-9165-43fb-b08b-fbf646f4dcf1"
	],
	"report_names": [
		"showcard.cgi?u=318f02e3-9165-43fb-b08b-fbf646f4dcf1"
	],
	"threat_actors": [
		{
			"id": "6ec2cd63-307d-4281-86da-5dc199e932af",
			"created_at": "2025-08-07T02:03:24.821494Z",
			"updated_at": "2026-04-10T02:00:03.843522Z",
			"deleted_at": null,
			"main_name": "GOLD BLADE",
			"aliases": [
				"Earth Kapre ",
				"Red Wolf ",
				"RedCurl "
			],
			"source_name": "Secureworks:GOLD BLADE",
			"tools": [
				"RedLoader"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "f72f2981-0dc4-4d96-857c-a725a143a538",
			"created_at": "2024-03-21T02:00:04.724563Z",
			"updated_at": "2026-04-10T02:00:03.602417Z",
			"deleted_at": null,
			"main_name": "Earth Kapre",
			"aliases": [
				"RedCurl",
				"Red Wolf",
				"GOLD BLADE"
			],
			"source_name": "MISPGALAXY:Earth Kapre",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "79e95381-8008-48dc-b981-fd66e1c46ca6",
			"created_at": "2022-10-25T16:07:24.110478Z",
			"updated_at": "2026-04-10T02:00:04.869039Z",
			"deleted_at": null,
			"main_name": "RedCurl",
			"aliases": [
				"Earth Kapre",
				"Red Wolf"
			],
			"source_name": "ETDA:RedCurl",
			"tools": [
				"Impacket",
				"LaZagne"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8108d548-e30f-4b90-aa60-71323ba66678",
			"created_at": "2024-11-01T02:00:52.667098Z",
			"updated_at": "2026-04-10T02:00:05.343786Z",
			"deleted_at": null,
			"main_name": "RedCurl",
			"aliases": [
				"RedCurl"
			],
			"source_name": "MITRE:RedCurl",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434939,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/22d73a1e8fa3460884d20c2983bfe814d108e08c.pdf",
		"text": "https://archive.orkl.eu/22d73a1e8fa3460884d20c2983bfe814d108e08c.txt",
		"img": "https://archive.orkl.eu/22d73a1e8fa3460884d20c2983bfe814d108e08c.jpg"
	}
}