{ "id": "eea06e09-6375-46e2-884d-2c0179195de3", "created_at": "2026-04-06T00:12:46.270494Z", "updated_at": "2026-04-10T03:30:34.68741Z", "deleted_at": null, "sha1_hash": "88944ae624979cb1d4c3e9f951eb937e9455362c", "title": "RedCurl hackers return to spy on 'major Russian bank,' Australian company", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 76656, "plain_text": "RedCurl hackers return to spy on 'major Russian bank,'\r\nAustralian company\r\nBy Daryna Antoniuk\r\nPublished: 2023-07-17 · Archived: 2026-04-05 13:52:57 UTC\r\nThe Russian-speaking hacking group RedCurl attacked a “major Russian bank” and an unidentified Australian\r\ncompany earlier this year to steal corporate secrets, according to recent research.\r\nThe incidents were the latest in a string of at least 34 attacks in the last four years, according to a report published\r\non Monday by Russia-based company F.A.C.C.T., an offshoot of cybersecurity firm Group-IB.\r\nRedCurl has been conducting commercial espionage since at least 2018, targeting a wide range of organizations\r\nincluding construction, finance, consulting firms, retailers, banks, insurance companies, and legal entities.\r\nAbout half of the attacks have been aimed at victims in Russia, while the other half targeted organizations in\r\nUkraine, Canada, and Europe, F.A.C.C.T. said.\r\nThe group does not encrypt the data of its victims and does not demand a ransom. It hunts for documents with\r\ncommercial secrets and personal data of employees, and tries to get them “as discreetly as possible,\" the\r\nresearchers said.\r\nRedCurl made two attempts to attack the undisclosed Russian bank. During the first attempt in November 2022,\r\nthey used phishing emails but failed, F.A.C.C.T. said. However, in May of this year, the group successfully\r\ntargeted one of the bank's contractors to gain access to the victim's infrastructure. In June, RedCurl used the same\r\ntactics and tools in the attack on the Australian company.\r\nTools and strategy\r\nThe group mostly makes its own tools or modifies existing malware, the researchers said.\r\nIn both recent attacks, the tool was called RedCurl.SimpleDownloader, which is currently still being developed,\r\nF.A.A.C.T. said.\r\nWhen targeting Russian organizations, the hackers employed the initial version of this tool, which lacked any\r\nprotection against analysis and detection. However, the version employed in the attack on the Australian company\r\nincludes new protective features, such as string encryption using an algorithm.\r\n“RedCurl is constantly evolving, refining both their techniques and tools,” F.A.C.C.T. said.\r\nThe group's hackers can stay undetected for long periods, between two and six months, before stealing corporate\r\ndata, the researchers said, and the attacks can include a long and complex infection chain.\r\nIt is still not clear who is behind this campaign and what their motives are, F.A.C.C.T. said.\r\nhttps://therecord.media/redcurl-hackers-russian-bank-australian-company\r\nPage 1 of 2\n\n“RedCurl remains one of the most interesting Russian-language cybercrime groups, especially the uncommon\r\ntargeting of both Russian and non-Russian entities,” Russian cyber analyst Ian Litschko wrote on Twitter.\r\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/redcurl-hackers-russian-bank-australian-company\r\nhttps://therecord.media/redcurl-hackers-russian-bank-australian-company\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://therecord.media/redcurl-hackers-russian-bank-australian-company" ], "report_names": [ "redcurl-hackers-russian-bank-australian-company" ], "threat_actors": [ { "id": "6ec2cd63-307d-4281-86da-5dc199e932af", "created_at": "2025-08-07T02:03:24.821494Z", "updated_at": "2026-04-10T02:00:03.843522Z", "deleted_at": null, "main_name": "GOLD BLADE", "aliases": [ "Earth Kapre ", "Red Wolf ", "RedCurl " ], "source_name": "Secureworks:GOLD BLADE", "tools": [ "RedLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "f72f2981-0dc4-4d96-857c-a725a143a538", "created_at": "2024-03-21T02:00:04.724563Z", "updated_at": "2026-04-10T02:00:03.602417Z", "deleted_at": null, "main_name": "Earth Kapre", "aliases": [ "RedCurl", "Red Wolf", "GOLD BLADE" ], "source_name": "MISPGALAXY:Earth Kapre", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79e95381-8008-48dc-b981-fd66e1c46ca6", "created_at": "2022-10-25T16:07:24.110478Z", "updated_at": "2026-04-10T02:00:04.869039Z", "deleted_at": null, "main_name": "RedCurl", "aliases": [ "Earth Kapre", "Red Wolf" ], "source_name": "ETDA:RedCurl", "tools": [ "Impacket", "LaZagne" ], "source_id": "ETDA", "reports": null }, { "id": "8108d548-e30f-4b90-aa60-71323ba66678", "created_at": "2024-11-01T02:00:52.667098Z", "updated_at": "2026-04-10T02:00:05.343786Z", "deleted_at": null, "main_name": "RedCurl", "aliases": [ "RedCurl" ], "source_name": "MITRE:RedCurl", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434366, "ts_updated_at": 1775791834, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/88944ae624979cb1d4c3e9f951eb937e9455362c.pdf", "text": "https://archive.orkl.eu/88944ae624979cb1d4c3e9f951eb937e9455362c.txt", "img": "https://archive.orkl.eu/88944ae624979cb1d4c3e9f951eb937e9455362c.jpg" } }