🇷🇺

Earth Kapre

APT Group Information theft and espionage ETDA ✓

Also Known As 3 names

GOLD BLADE Red Wolf RedCurl

Target Countries 8

Countries highlighted in red

Australia Canada Germany Spain Mexico Norway Ukraine United States

Sectors Targeted

Financial Air Transportation 481 Outpatient Care Centers 6214 Retail travel agencies and law and consulting firms Construction

Details

Origin 🇷🇺 RU

Last Updated 23 Mar 2024

MITRE ATT&CK 70

T1003 - OS Credential Dumping T1003.001 T1005 T1020 T1027 T1036 - Masquerading T1036.005 T1039 T1046 T1053 T1053.005 T1056 - Input Capture T1056.002 T1059 - Command and Scripting Interpreter T1059.001 T1059.003 T1059.005 T1059.006 T1070 - Indicator Removal on Host T1070.004 T1071 T1071.001 T1080 T1082 T1083 T1087 T1087.001 T1087.002 T1087.003 T1090 - Proxy T1102 T1105 T1112 - Modify Registry T1114 T1114.001 T1119 T1140 - Deobfuscate/Decode Files or Information T1187 - Forced Authentication T1199 T1202 T1204 T1204.001 T1204.002 T1218 - Signed Binary Proxy Execution T1218.011 T1490 - Inhibit System Recovery T1496 - Resource Hijacking T1498 - Network Denial of Service T1537 T1547 - Boot or Logon Autostart Execution T1547.001 T1552 - Unsecured Credentials T1552.001 T1552.002 T1553 - Subvert Trust Controls T1555 T1555.003 T1560 - Archive Collected Data T1560.001 T1562 - Impair Defenses T1564 T1564.001 T1566 - Phishing T1566.001 T1566.002 T1573 T1573.001 T1573.002 T1587 T1587.001

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 3 entries

RedCurl Group-IB

Red Wolf BI.ZONE

Earth Kapre Trend Micro

Observed Target Countries 10

Based on ETDA data — countries highlighted in red

Australia Canada Germany Mexico Norway Russia Spain UK Ukraine USA

Description

(ZDNet) Security researchers have uncovered a new Russian-speaking hacking group that they claim has been focusing on the past three years on corporate espionage, targeting companies across the world to steal documents that contain commercial secrets and employee personal data. Named RedCurl, the activities of this new group have been detailed in a 57-page report released today by cyber-security firm Group-IB. The company has been tracking the group since the summer of 2019 when it was first called to investigate a security breach at a company hacked by the group. Since then, Group-IB said it identified 26 other RedCurl attacks, carried out against 14 organizations, going as far back as 2018.

Tools Used 2

Impacket LaZagne

Operations 5

2021 RedCurl: The awakening https://www.group-ib.com/resources/threat-research/red-curl-2.html

2022-11 RedCurl hackers return to spy on 'major Russian bank,' Australian company https://therecord.media/redcurl-hackers-russian-bank-australian-company

2023 Hunting the hunter: BI.ZONE traces the footsteps of Red Wolf https://bi-zone.medium.com/hunting-the-hunter-bi-zone-traces-the-footsteps-of-red-wolf-3677783e164d

2023 Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html

2025-03 RedCurl's Ransomware Debut: A Technical Deep Dive https://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive

Reports & References 3

https://www.zdnet.com/article/redcurl-cybercrime-group-has-hacked-companies-for-three-years/ https://www.group-ib.com/resources/threat-research/red-curl.html https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt

ETDA Profile

RedCurl

Origin

[Unknown]

First Seen 2018

Motivation

Information theft and espionage

View on ETDA APT Groups ↗