{ "id": "c1ce8ea2-6949-4b8b-87a4-833db3cc0a7a", "created_at": "2026-04-06T00:09:10.236277Z", "updated_at": "2026-04-10T03:30:34.706671Z", "deleted_at": null, "sha1_hash": "66f92e947ee8459ee57fafe196dacaa4aba77f3f", "title": "RedCurl cybercrime group has hacked companies for three years", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 668811, "plain_text": "RedCurl cybercrime group has hacked companies for three years\r\nBy Written by Catalin Cimpanu, ContributorContributor Aug. 13, 2020 at 12:00 a.m. PT\r\nArchived: 2026-04-05 15:38:13 UTC\r\nImage: Group-IB\r\nSecurity\r\nSecurity researchers have uncovered a new Russian-speaking hacking group that they claim has been focusing on\r\nthe past three years on corporate espionage, targeting companies across the world to steal documents that contain\r\ncommercial secrets and employee personal data.\r\nNamed RedCurl, the activities of this new group have been detailed in a 57-page report released today by cyber-security firm Group-IB.\r\nThe company has been tracking the group since the summer of 2019 when it was first called to investigate a\r\nsecurity breach at a company hacked by the group.\r\nSince then, Group-IB said it identified 26 other RedCurl attacks, carried out against 14 organizations, going as far\r\nback as 2018.\r\nVictims varied across countries and industry sectors, and included construction companies, retailers, travel\r\nagencies, insurance companies, banks, and law and consulting firms from countries like Russia, Ukraine, Canada,\r\nGermany, Norway, and the UK.\r\nSpear-phishing and PowerShell\r\nhttps://www.zdnet.com/article/redcurl-cybercrime-group-has-hacked-companies-for-three-years/\r\nPage 1 of 2\n\nBut despite the prolonged three-year hacking spree, the group didn't use complex tools or hacking techniques for\r\ntheir attacks. Instead, the group heavily relied on spear-phishing for initial access.\r\n\"RedCurl's distinctive feature, however, is that the email content is carefully drafted,\" researchers said today. \"For\r\ninstance, the emails displayed the targeted company's address and logo, while the sender address featured the\r\ncompany's domain name.\r\n\"The attackers posed as members of the HR team at the targeted organization and sent out emails to multiple\r\nemployees at once, which made the employees less vigilant, especially considering that many of them worked in\r\nthe same department,\" they added.\r\nThe emails included links to malware-laced files that victims had to download. Once victims ran the content of the\r\nboobytrapped archives, they got infected with a collection of PowerShell-based trojans.\r\nredcurl-schema.jpg\r\nImage: Group-IB\r\nGroup-IB said the trojans were unique to the group and allowed RedCurl operators access to basic operations,\r\nsuch as searching systems, downloading other malware, or uploading stolen files to remote servers.\r\nRedCurl hid in hacked networks between two and six months\r\nWhere possible, the group also attempted to move laterally through infected networks by accessing network\r\nshared drives and replacing original files with boobytrapped LNK (shortcut) files that would infect other\r\nemployees if they executed the files.\r\nGroup-IB researchers say that this phase usually lasted between two and six months.\r\n\"The stage of spreading over the network is significantly extended in time as the group strives to remain unnoticed\r\nfor as long as possible and does not use any active Trojans that could disclose its presence,\" the company said.\r\nOne particular thing that stood out about RedCurl was the use of the WebDAV protocol as a data exfiltration\r\nchannel, similar to other hacking groups like CloudAtlas and RedOctober. However, Group-IB said it did not find\r\nany other major overlaps between the three, and believes they are separate operations based on the current\r\nevidence.\r\nredcurl-comparrison.png\r\nImage: Group-IB\r\nThe biggest Internet of Things, smart home hacks of 2019\r\nSecurity\r\nSource: https://www.zdnet.com/article/redcurl-cybercrime-group-has-hacked-companies-for-three-years/\r\nhttps://www.zdnet.com/article/redcurl-cybercrime-group-has-hacked-companies-for-three-years/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zdnet.com/article/redcurl-cybercrime-group-has-hacked-companies-for-three-years/" ], "report_names": [ "redcurl-cybercrime-group-has-hacked-companies-for-three-years" ], "threat_actors": [ { "id": "6ec2cd63-307d-4281-86da-5dc199e932af", "created_at": "2025-08-07T02:03:24.821494Z", "updated_at": "2026-04-10T02:00:03.843522Z", "deleted_at": null, "main_name": "GOLD BLADE", "aliases": [ "Earth Kapre ", "Red Wolf ", "RedCurl " ], "source_name": "Secureworks:GOLD BLADE", "tools": [ "RedLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "f72f2981-0dc4-4d96-857c-a725a143a538", "created_at": "2024-03-21T02:00:04.724563Z", "updated_at": "2026-04-10T02:00:03.602417Z", "deleted_at": null, "main_name": "Earth Kapre", "aliases": [ "RedCurl", "Red Wolf", "GOLD BLADE" ], "source_name": "MISPGALAXY:Earth Kapre", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79e95381-8008-48dc-b981-fd66e1c46ca6", "created_at": "2022-10-25T16:07:24.110478Z", "updated_at": "2026-04-10T02:00:04.869039Z", "deleted_at": null, "main_name": "RedCurl", "aliases": [ "Earth Kapre", "Red Wolf" ], "source_name": "ETDA:RedCurl", "tools": [ "Impacket", "LaZagne" ], "source_id": "ETDA", "reports": null }, { "id": "8108d548-e30f-4b90-aa60-71323ba66678", "created_at": "2024-11-01T02:00:52.667098Z", "updated_at": "2026-04-10T02:00:05.343786Z", "deleted_at": null, "main_name": "RedCurl", "aliases": [ "RedCurl" ], "source_name": "MITRE:RedCurl", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434150, "ts_updated_at": 1775791834, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/66f92e947ee8459ee57fafe196dacaa4aba77f3f.pdf", "text": "https://archive.orkl.eu/66f92e947ee8459ee57fafe196dacaa4aba77f3f.txt", "img": "https://archive.orkl.eu/66f92e947ee8459ee57fafe196dacaa4aba77f3f.jpg" } }