Group focused on commercial organizations likely to be paid-for hackers

Security researchers have uncovered the existence of a previously unknown APT group dubbed RedCurl, which focuses on corporate espionage.

Since the earliest detected attack in May 2018, RedCurl has targeted victims all over the world including in Russia, Ukraine, UK, Germany, Canada, and Norway.

The group has carried out at least 26 targeted attacks on commercial organizations alone, including firms in the fields of construction, finance, consulting, retail, banking, insurance, law, and travel.

During its varied campaigns, RedCurl’s main goal was to steal confidential corporate documents such as contracts, financial documents, employee personal records, and records of legal actions and facility construction, says threat intelligence researchers Group-IB.

RELATED Who is behind APT29? What we know about this nation-state cybercrime group

Tactics involve spear phishing campaigns followed up by the deployment of customized malware.

The group – whose methodology mimics those of legitimate red team pen testers – often uses a trojan downloader called RedCurl.Dropper, a password extractor called LaZagne, and Windows PowerShell scripts.

Malicious hackers then upload the data to legitimate cloud-based storage services.

In total, Group-IB has identified 14 organizations that fell victim to RedCurl's espionage, some on several occasions. Each of the victims have been contacted by the threat intelligence firm.


Group-IB suggests that RedCurl is likely operating as a hacking-for-hire model.

“Our hypothesis is that their attacks might have been commissioned for the purpose of corporate espionage,” Oleg Skulkin, senior digital forensics analyst at Group-IB told The Daily Swig.

“First, they don’t have a clear geographical focus – they attack companies in Russia, Ukraine, the United Kingdom, Germany, Canada, and Norway. Unlike state-sponsored attackers, they don’t attack government organizations or critical infrastructure facilities.”

Skulkin continued: “We haven’t seen other corporate espionage-focused threat actors with a similar set of tactics, techniques, and procedures, but we found their techniques quite similar to campaigns called Cloud Atlas – but those targeted government entities rather than a corporate segment.”

Read more of the latest cybercrime news

Group-IB has yet to uncover evidence from dark web forums or elsewhere to confirm this hypothesis.

“Our Dark Web monitoring hasn’t uncovered any ads or posts that may lead to this group,” Skulkin admitted.

Hack-for-hire groups are uncommon, but not unprecedented. Another such group, Dark Basin, instead focusses on credential harvesting, and relies on phishing kits, “leaving corporate network infrastructures untouched”, according to Skulkin.

Group-IB has published a technical report containing indicators of compromise, which organizations can use to check their networks for signs of RedCurl infections.

READ MORE Interview – Corelight’s Richard Bejtlich on cyber warfare and the origin of the term ‘APT’