article featured image


The Group-IB researchers have revealed in a recent report the returning of a reportedly corporate cyber-espionage hacker group dubbed RedCurl.

RedCurl APT Group: Background

The Group-IB experts discovered this APT group, publishing a report about them in 2020. It seems that the hacking group started its operations back in 2018, targeting organizations from various industries like finance, consulting, retail, construction, banking, insurance law, and travel in a wave of 26 cyberattacks between 2018 and 2020. The researchers stated that the companies were from Germany, Canada, Norway, Ukraine, the UK, and Russia.

The experts were also mentioning at that time:

In all campaigns, RedCurl’s main goal was to steal confidential corporate documents such as contracts, financial documents, employee personal records, and records of legal actions and facility construction. This could indicate that RedCurl’s attacks might have been commissioned for the purpose of corporate espionage.


RedCurl Makes a Comeback

It seems that after a pause of seven months, RedCurl has returned employing new tactics, as the researchers detailed in a new report published on the 18th of November.

Ivan Pisarev, Head of the Dynamic Malware Analysis Team at Group-IB, made a declaration on the returning of this hacking group saying that:

Group-IB Threat Intelligence & Attribution system detected RedCurl’s updated arsenal as it appeared: after a long break, the group returned to the corporate cyber-espionage arena. In every attack, the threat actor demonstrates extensive red teaming skills and the ability to bypass traditional anti-virus detection using their own custom malware. This means that more and more companies are likely to fall victim to the group, which conducts well-prepared targeted attacks aimed at stealing internal corporate documentation. Commercial Corporate cyber espionage remains a rare and largely unique phenomenon. We cannot rule out, however, that RedCurl’s success could set a new trend in the cybercrime space.


RedCurl: Attack Method and What’s New?

As the new report states, since 2021 has started, the number of attacks spotted by the Group-IB Threat Intelligence researchers raises up to 4. According to them, it seems that a Russian wholesale company has been among the victims.

The recent RedCurl cyberattacks showed a change of their arsenal tactics with the following novelties:

  • It was noticed an increase in the stages unfolded between the phishing email receiving and the execution module launching, the so-called kill chain stages for “patient zero” raised from 3 to 5;
  • The threat actor group has a new reconnaissance tool similar in terms of features to the FirstStageAgent module. This comes also with a PowerShell downloader;
  • In the preceding steps before an attack happens, the threat actors gather data using public sources about the victim;
  • Their methods rely on spear-phishing e-mails that seem to be sent by the HR organization’s department;
  • Among the social engineering methods they use the experts have noticed the particularity of email headers which include details about staff incentive programs changes or other types of news related to the targeted enterprise;
  • So the links that will direct to some bonuses receiving will work as bait for users, determining to click on them.

After infecting a computer in the victim’s network, RedCurl collects information about its infrastructure. The hackers are mainly interested in the name and version of the infected system, the list of network and logical drives, and the list of passwords. Group-IB Threat Intelligence team discovered that information from the infected device, the IP address, and the time that the request was received were saved in a separate file on the server-side.


How Can Heimdal™ Help?

Phishing becomes more and more advanced day by day, that is why your organization needs an efficient E-Mail Security tool like ours to face the current threats successfully. Avoid e-mail impersonation and data leaks risks with our advanced spam filter.

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *