FlagThis

The RedCurl/EarthKapre APT group is actively engaged in corporate espionage, particularly targeting the legal sector. The group uses sophisticated techniques to infiltrate organizations, beginning with phishing emails disguised as Indeed-themed job applications. These emails contain malicious attachments designed to trick victims into downloading ZIP archives containing ISO image files that mimic CVs. Once the ISO image is mounted, the victim unknowingly executes a signed Adobe executable, which then sideloads the EarthKapre loader.

This loader, delivered via a legitimate Adobe executable, is the core of the attack. It establishes command and control through Cloudflare Workers. The malware uses encryption to protect its payloads and sets up a scheduled task to maintain persistence on the compromised system. The eSentire Threat Response Unit (TRU) identified this attack targeting law firms and legal services.

ImgSrc: socprime.com

References:

• Information Security Buzz - eSentire’s Threat Response Unit (TRU) has uncovered a new cyber espionage campaign leveraging a legitimate Adobe executable to sideload the EarthKapre/RedCurl loader. - 5d
• SOC Prime Blog - The nefarious cyber-espionage hacking collective tracked as EarthKapre or RedCurl APT has resurfaced to target legal sector organizations using Indeed-themed phishing. - 5d
• @VirusBulletin - Infosec Exchange post summarizing eSentire's investigation into RedCurl/EarthKapre APT targeting legal services. - 5d
• Talkback Resources - Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre... - 5d
• Know Your Adversary - 046. RedCurl Abuses PowerShell for Collection and Exfiltration: Detection Opportunities - 5d
• socprime.com - RedCurl/EarthKapre APT Attack Detection: A Sophisticated Cyber-Espionage Group Uses a Legitimate Adobe Executable to Deploy a Loader - 4d
• www.esentire.com - eSentire researchers summarise a recent investigation into an attack by the RedCurl/EarthKapre APT against an organization within the legal services industry. The group primarily targets private-secto - 4d
• securityonline.info - Stealth Attack: EarthKapre Leverages Cloud and DLL Sideloading for Data Exfiltration - 4d
• Talkback Resources - eSentire's TRU team identified and responded to an attack targeting the Law Firms & Legal Services industry involving the EarthKapre/RedCurl loader being sideloaded through a legitimate Adobe executab - 4d
• Malware Archives ? Cybersecurity News - Stealth Attack: EarthKapre Leverages Cloud and DLL Sideloading for Data Exfiltration - 4d
• Talkback Resources - Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre… [net] [mal] - 4d
• Security Archives - Security Affairs - eSentire report on the RedCurl/EarthKapre APT's campaign targeting law firms, using a legitimate Adobe executable for the loader. - 4d
• @kimzetter - eSentire's TRU team identified and responded to an attack targeting the Law Firms & Legal Services industry involving the EarthKapre/RedCurl loader being sideloaded through a legitimate Adobe executab - 4d

Classification:

• HashTags: APT RedCurl CyberEspionage
• Company: eSentire
• Target: Law Firms
• Attacker: RedCurl
• Product: Adobe Executable
• Feature: DLL sideloading
• Type: Espionage
• Severity: Major