RedCurl corporate data theft group is back: Report

Corporate infosec leaders are being warned of the resurgence of a threat actor that apparently specializes in stealing business data.

Dubbed RedCurl by the Singapore-based threat intelligence firm Group-IB and described as a Russian-speaking hacker group, many of its 30 targets and 15 victims over the past four years have been firms based in Russia. However, they also include victims in Canada, the U.S., the U.K., Germany, Norway and Ukraine.

Group-IB’s warning comes after attacks by RedCurl had been undetected for seven months. So far this year it has hit four organizations.

Victims included companies in construction, finance, consulting, retail, insurance and law sectors, the report says.

Attacks start with an employee falling for a spear-phishing email. After it gains a foothold in the corporate network, RedCurl’s tactics are marked by extensive red teaming skills and the ability to bypass traditional anti-virus detection using custom malware.

Graphic from Group-IB of the attack pattern of the RedCurl threat gang
Group-IB graphic

What it doesn’t do is encrypt infrastructure, withdraw money from accounts, or demand ransoms for stolen data. “This most likely indicates that the group monetizes on its attacks in a different way,” the report says.

“Commercial corporate cyber espionage remains a rare and largely unique phenomenon,” said Ivan Pisarev, head of Group-IB’s dynamic malware analysis team. “We cannot rule out, however, that RedCurl’s success could set a new trend in the cybercrime space.”

RedCurl specializes in sending spear-phishing emails purporting to come from the victim organization’s HR department. Email subject lines allege the contents are about changes to staff incentive programs or other company news. Employees are often lured into clicking on a link with the promise of bonuses.

During the lull in its activities, the group significantly improved its arsenal, the report says. For example, there are now five stages between a victim firm receiving a phishing email and the launch of a module responsible for executing commands. The threat group has also added a new reconnaissance tool whose code shares many similarities with the FirstStageAgent module.

“RedCurl is known for its patience,” says the report. The time from the first infection to data being stolen can be anywhere from two to six months. The group doesn’t use popular post-exploitation tools such as CobaltStrike and Meterpreter. Nor has it been seen using typical ways of controlling compromised devices remotely. Instead, the hackers use self-developed tools and some publicly available programs to gain initial access, achieve persistence, move laterally, and exfiltrate sensitive documentation.

Read the full report here.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now