RedCurl Shifts Tactics: Russian Hacking Group Deploys Ransomware for the First Time

The Russian-speaking cyber espionage group RedCurl has been observed conducting a ransomware attack for the first time, marking a significant change in its operational methods. Romanian cybersecurity firm Bitdefender discovered that the group deployed a new ransomware strain, QWCrypt, in its latest campaign.

From Corporate Espionage to Ransomware Attacks

RedCurl, also known as Earth Kapre and Red Wolf, has been active since at least November 2018, primarily engaging in corporate espionage across Canada, Germany, Norway, Russia, Slovenia, Ukraine, the UK, and the US.

Previously documented attacks, such as those outlined by Group-IB in 2020, involved HR-themed spear-phishing emails to deploy malware. More recently, in January 2024, Huntress detailed RedCurl's use of RedLoader, a simple backdoor, in attacks against Canadian organizations. In February 2024, eSentire reported that RedCurl was distributing malicious PDF attachments disguised as résumés, leveraging the Adobe process "ADNotificationManager.exe" for malware execution.

Latest Attack Tactics: Social Engineering and Malware Execution

Bitdefender’s findings show RedCurl using ISO disk images posing as résumés to initiate a multi-stage attack. These images contain a Windows screensaver file (SCR) that actually runs "ADNotificationManager.exe" to sideload the malicious "netutils.dll" loader.

"Upon execution, netutils.dll launches a shell command directing the victim’s browser to a legitimate Indeed login page," explained Martin Zugec, Bitdefender’s Technical Solutions Director.
"This is a carefully crafted social engineering trick, distracting the user while the malware executes in the background."

The loader then downloads and executes a backdoor DLL, while also setting up persistence via a scheduled task. This stealthy foothold allows RedCurl to move laterally within the network, collect intelligence, and escalate access.

RedCurl’s First Documented Ransomware Deployment

In a major shift from espionage-focused operations, RedCurl has now begun deploying ransomware. By encrypting virtual machines (VMs) on hypervisors, the attackers cripple entire virtualized infrastructures, causing maximum disruption with minimal effort.

The ransomware executable also employs the Bring Your Own Vulnerable Driver (BYOVD) technique, disabling endpoint security defenses before launching encryption.

Interestingly, the ransom note bears similarities to messages used by LockBit, HardBit, and Mimic ransomware groups. However, the lack of a dedicated leak site (DLS) raises questions about RedCurl's true motivations—whether this is a genuine extortion attempt or a deliberate misdirection.

"The repurposing of existing ransom note text adds to the mystery surrounding RedCurl’s shift in tactics," Zugec noted.

This evolution in RedCurl's playbook suggests that the group is either diversifying its monetization strategies or testing new ransomware capabilities alongside its traditional espionage activities.