2025-02-22 21:15:47 Pacfic
RedCurl APT Abuses PowerShell for Data Exfiltration - 4d
The RedCurl APT is actively abusing PowerShell for data collection and exfiltration. The attackers are using 7-Zip to archive collected data and exfiltrating it via PowerShell using MSXML2.ServerXMLHTTP and ADODB.Stream. These techniques allow them to gather and steal sensitive information from compromised systems.
RedCurl APT Targets Legal Sector using Adobe Executable - 4d
The RedCurl/EarthKapre APT group has been actively targeting organizations, particularly those in the legal sector, for corporate espionage. The group uses sophisticated techniques, including Indeed-themed phishing emails, to gain initial access. A legitimate Adobe executable is then used to sideload the EarthKapre/RedCurl loader, which exfiltrates data through Cloudflare Workers for command and control. The attackers leverage reconnaissance tools to gather information about the target environment before deploying their loader and exfiltrating sensitive data.
NetSupport RAT Use Surges via ClickFix Distribution - 11d
The eSentire Threat Intelligence team has observed a notable spike in the use of NetSupport RAT (Remote Access Trojan) in multiple recent incidents since January 2025. This increase is observed in attacks that involved the emerging “ClickFix” initial access vector. Cybercriminals weaponize it to gain full control over victim systems, monitor screens, control input, and steal data.