← All Threat Actors
Threat Actor Profile

RedCurl

Earth Kapre G1039
▲ High Threat
[RedCurl](https://attack.mitre.org/groups/G1039) is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.(Citation: group-ib_redcurl1) [RedCurl](https://attack.mitre.org/groups/G1039) is allegedly a Russian-speaking threat actor.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.
Origin

Known TTPs

Obfuscated Files or Information
Hidden Files and Directories
Web Service
Local Email Collection
Data from Network Shared Drive
Taint Shared Content
Malicious File
Data from Local System
Automated Collection
File and Directory Discovery
Windows Command Shell
PowerShell
Match Legitimate Resource Name or Location
Spearphishing Attachment
Visual Basic
Archive via Utility
Symmetric Cryptography
Web Protocols
Email Account
Malware
Local Account
GUI Input Capture
System Information Discovery
Malicious Link
Asymmetric Cryptography
Scheduled Task
Automated Exfiltration
Trusted Relationship
Transfer Data to Cloud Account
Indirect Command Execution
Credentials In Files
Rundll32
Domain Account
Spearphishing Link
Credentials in Registry
File Deletion
Registry Run Keys / Startup Folder
Credentials from Web Browsers
Python
LSASS Memory
Network Service Discovery

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD