{
	"id": "be4dfe77-2b37-49b3-a57e-78cfca588065",
	"created_at": "2026-04-06T15:52:32.683473Z",
	"updated_at": "2026-04-10T03:36:27.556969Z",
	"deleted_at": null,
	"sha1_hash": "747f7adab1f6ac6dad6f1d9de899d59500d6e073",
	"title": "RedCurl: The Pentest You Didn’t Know About | Group-IB Threat Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2034134,
	"plain_text": "RedCurl: The Pentest You Didn’t Know\r\nAbout\r\nThe APT group continues to successfully attack enterprise companies in North America, Europe, and CIS\r\ncountries after remaining undetected for years. Their goal is carefully planned, targeted cyber espionage.\r\nIn this report:\r\nTTPs First description of TTPs and infrastructure of the\r\nnew threat actor\r\nView report\r\nhttps://www.group-ib.com/resources/research-hub/red-curl/\r\nPage 1 of 4\n\nKill Chain Detailed kill chain based on unique incident\r\nresponse data\r\nAttribution Possible connections with Red October and Cloud\r\nAtlas campaigns\r\nRustam Mirkasymov\r\nHead of Cyber Threat Research\r\nAdvanced protection against cyber threats\r\nGroup-IB’s security ecosystem provides comprehensive protection for your IT infrastructure based on our unique\r\ncyber intelligence and deep analysis of attacks and incident response.\r\nFor RedCurl it makes no difference whether to attack a consulting company in Canada or a Russian\r\nbank. Because the contents of the victim’s documents and records can be much more valuable than\r\nthe contents of their own wallets: the consequences of espionage can amount to tens of millions of\r\ndollars, despite the lack of direct financial losses.\r\nRedCurl implements various techniques to stay undetected for months. The lack of indicators and\r\ntechnical data about the group makes it easier for the threat actor to remain active. We continue to\r\ntrack new attacks worldwide and therefore included IoCs in the report, which organizations can use\r\nto check their networks for signs of RedCurl infections.\r\nThreat Intelligence Fraud Protection\r\nManaged XDR Digital Risk Protection\r\nRelevant reports\r\nWe see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the\r\ninfrastructure used by cybercriminals and data from battlefields:\r\nhttps://www.group-ib.com/resources/research-hub/red-curl/\r\nPage 2 of 4\n\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence Platform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner Program\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the latest cyber threat\r\ntrends\r\nContact\r\nThreat Research\r\nRansomware Uncovered 2021/2022\r\nThe well-known complete guide to the latest tactics, techniques, and procedures of ransomware operators...\r\nLearn more Download report\r\nhttps://www.group-ib.com/resources/research-hub/red-curl/\r\nPage 3 of 4\n\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers around the world by preventing breaches,\r\neliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/resources/research-hub/red-curl/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.group-ib.com/resources/research-hub/red-curl/"
	],
	"report_names": [
		"red-curl"
	],
	"threat_actors": [
		{
			"id": "6ec2cd63-307d-4281-86da-5dc199e932af",
			"created_at": "2025-08-07T02:03:24.821494Z",
			"updated_at": "2026-04-10T02:00:03.843522Z",
			"deleted_at": null,
			"main_name": "GOLD BLADE",
			"aliases": [
				"Earth Kapre ",
				"Red Wolf ",
				"RedCurl "
			],
			"source_name": "Secureworks:GOLD BLADE",
			"tools": [
				"RedLoader"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f72f2981-0dc4-4d96-857c-a725a143a538",
			"created_at": "2024-03-21T02:00:04.724563Z",
			"updated_at": "2026-04-10T02:00:03.602417Z",
			"deleted_at": null,
			"main_name": "Earth Kapre",
			"aliases": [
				"RedCurl",
				"Red Wolf",
				"GOLD BLADE"
			],
			"source_name": "MISPGALAXY:Earth Kapre",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "04a7ebaa-ebb1-4971-b513-a0c86886d932",
			"created_at": "2023-01-06T13:46:38.784965Z",
			"updated_at": "2026-04-10T02:00:03.099088Z",
			"deleted_at": null,
			"main_name": "Inception Framework",
			"aliases": [
				"Clean Ursa",
				"Cloud Atlas",
				"G0100",
				"ATK116",
				"Blue Odin"
			],
			"source_name": "MISPGALAXY:Inception Framework",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "79e95381-8008-48dc-b981-fd66e1c46ca6",
			"created_at": "2022-10-25T16:07:24.110478Z",
			"updated_at": "2026-04-10T02:00:04.869039Z",
			"deleted_at": null,
			"main_name": "RedCurl",
			"aliases": [
				"Earth Kapre",
				"Red Wolf"
			],
			"source_name": "ETDA:RedCurl",
			"tools": [
				"Impacket",
				"LaZagne"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8108d548-e30f-4b90-aa60-71323ba66678",
			"created_at": "2024-11-01T02:00:52.667098Z",
			"updated_at": "2026-04-10T02:00:05.343786Z",
			"deleted_at": null,
			"main_name": "RedCurl",
			"aliases": [
				"RedCurl"
			],
			"source_name": "MITRE:RedCurl",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "02c9f3f6-5d10-456b-9e63-750286048149",
			"created_at": "2022-10-25T16:07:23.722884Z",
			"updated_at": "2026-04-10T02:00:04.72726Z",
			"deleted_at": null,
			"main_name": "Inception Framework",
			"aliases": [
				"ATK 116",
				"Blue Odin",
				"Clean Ursa",
				"Cloud Atlas",
				"G0100",
				"Inception Framework",
				"Operation Cloud Atlas",
				"Operation RedOctober",
				"The Rocra"
			],
			"source_name": "ETDA:Inception Framework",
			"tools": [
				"Lastacloud",
				"PowerShower",
				"VBShower"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775490752,
	"ts_updated_at": 1775792187,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/747f7adab1f6ac6dad6f1d9de899d59500d6e073.pdf",
		"text": "https://archive.orkl.eu/747f7adab1f6ac6dad6f1d9de899d59500d6e073.txt",
		"img": "https://archive.orkl.eu/747f7adab1f6ac6dad6f1d9de899d59500d6e073.jpg"
	}
}