{ "id": "3c655702-8733-4f4b-9ef9-4529fac57f7f", "created_at": "2026-04-06T15:52:29.706598Z", "updated_at": "2026-04-10T13:11:33.375618Z", "deleted_at": null, "sha1_hash": "9c674b6e787c87113cdf7119d43e9757c52a5342", "title": "RedCurl: The Awakening | Group-IB", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 147034, "plain_text": "RedCurl: The Awakening\r\nCommercial cyber espionage remains a rare and largely unique phenomenon. We cannot rule out, however, that\r\nRedCurl’s success could lead to a new trend in the cybercrime arena.\r\nIn this report:\r\nTTPs Discover the group’s new and updated tools as well\r\nas its tactics and infrastructure characteristics\r\nmapped to the MITRE ATT\u0026CK® matrix\r\nKill Chain Gain insights into a detailed kill chain of the latest\r\nattack based on incident response activities and\r\nDownload report\r\nhttps://www.group-ib.com/resources/research-hub/red-curl-2/\r\nPage 1 of 4\n\nunique data from Group-IB Threat Intelligence \u0026\r\nAttribution\r\nIoCs and recommendations Learn indicators of compromise and a set of\r\nmitigations to secure your organization against\r\nRedCurl attacks\r\nAbout the report:\r\nLast year, Group-IB specialists discovered a new Russian-speaking hacker group that they named RedCurl.\r\nBetween 2018 and 2020, the group carried out 26 attacks for the purposes of corporate espionage and\r\ndocumentation theft. Group-IB identified 14 victim organizations across various industries. Seven months later, in\r\n2021, the attacks resumed. Group-IB’s most recent report details how the adversary’s tactics and tools have\r\nchanged and reveals the group’s new victims.\r\nAbout RedCurl\r\nGoal\r\nCorporate espionage and documentation theft\r\nActive\r\nSince 2018\r\nAttack total\r\n30, including 4 attacks since the start of 2021\r\nDwell time in the victim’s infrastructure\r\n2–6 months\r\nVictims\r\n15\r\nRelevant reports\r\nWe see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the\r\ninfrastructure used by cybercriminals and data from battlefields:\r\nhttps://www.group-ib.com/resources/research-hub/red-curl-2/\r\nPage 2 of 4\n\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence Platform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner Program\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the latest cyber threat\r\ntrends\r\nContact\r\nThreat Research\r\nConti Armada: The ARMattack Campaign\r\nTake a deep dive into “ARMattack”, one of the shortest yet most successful campaigns...\r\nLearn more Download report\r\nhttps://www.group-ib.com/resources/research-hub/red-curl-2/\r\nPage 3 of 4\n\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers around the world by preventing breaches,\r\neliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/resources/research-hub/red-curl-2/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.group-ib.com/resources/research-hub/red-curl-2/" ], "report_names": [ "red-curl-2" ], "threat_actors": [ { "id": "6ec2cd63-307d-4281-86da-5dc199e932af", "created_at": "2025-08-07T02:03:24.821494Z", "updated_at": "2026-04-10T02:00:03.843522Z", "deleted_at": null, "main_name": "GOLD BLADE", "aliases": [ "Earth Kapre ", "Red Wolf ", "RedCurl " ], "source_name": "Secureworks:GOLD BLADE", "tools": [ "RedLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f72f2981-0dc4-4d96-857c-a725a143a538", "created_at": "2024-03-21T02:00:04.724563Z", "updated_at": "2026-04-10T02:00:03.602417Z", "deleted_at": null, "main_name": "Earth Kapre", "aliases": [ "RedCurl", "Red Wolf", "GOLD BLADE" ], "source_name": "MISPGALAXY:Earth Kapre", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79e95381-8008-48dc-b981-fd66e1c46ca6", "created_at": "2022-10-25T16:07:24.110478Z", "updated_at": "2026-04-10T02:00:04.869039Z", "deleted_at": null, "main_name": "RedCurl", "aliases": [ "Earth Kapre", "Red Wolf" ], "source_name": "ETDA:RedCurl", "tools": [ "Impacket", "LaZagne" ], "source_id": "ETDA", "reports": null }, { "id": "8108d548-e30f-4b90-aa60-71323ba66678", "created_at": "2024-11-01T02:00:52.667098Z", "updated_at": "2026-04-10T02:00:05.343786Z", "deleted_at": null, "main_name": "RedCurl", "aliases": [ "RedCurl" ], "source_name": "MITRE:RedCurl", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775490749, "ts_updated_at": 1775826693, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9c674b6e787c87113cdf7119d43e9757c52a5342.pdf", "text": "https://archive.orkl.eu/9c674b6e787c87113cdf7119d43e9757c52a5342.txt", "img": "https://archive.orkl.eu/9c674b6e787c87113cdf7119d43e9757c52a5342.jpg" } }