Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

RedCurl Shifts from Espionage to Ransomware with First-Ever QWCrypt Deployment

The Hacker News by The Hacker News
March 26, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Mar 26, 2025The Hacker NewsRansomware / Endpoint Security

The Russian-speaking hacking group called RedCurl has been linked to a ransomware campaign for the first time, marking a departure in the threat actor’s tradecraft.

The activity, observed by Romanian cybersecurity company Bitdefender, involves the deployment of a never-before-seen ransomware strain dubbed QWCrypt.

RedCurl, also called Earth Kapre and Red Wolf, has a history of orchestrating corporate espionage attacks aimed at various entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States. It’s known to be active since at least November 2018.

Cybersecurity

Attack chains documented by Group-IB in 2020 entailed the use of spear-phishing emails bearing Human Resources (HR)-themed lures to activate the malware deployment process. Earlier this January, Huntress detailed attacks mounted by the threat actor targeting several organizations in Canada to deploy a loader dubbed RedLoader with “simple backdoor capabilities.”

Then last month, Canadian cybersecurity company eSentire revealed RedCurl’s use of spam PDF attachments masquerading as CVs and Cover letters in phishing messages to sideload the loader malware using the legitimate Adobe executable “ADNotificationManager.exe.”

The attack sequence detailed by Bitdefender traces the same steps, using mountable disk image (ISO) files disguised as CVs to initiate a multi-stage infection procedure. Present within the disk image is a file that mimics a Windows screensaver (SCR) but, in reality, is the ADNotificationManager.exe binary that’s used to execute the loader (“netutils.dll”) using DLL side-loading.

“After execution, the netutils.dll immediately launches a ShellExecuteA call with the open verb, directing the victim’s browser to https://secure.indeed.com/auth,” Martin Zugec, technical solutions director at Bitdefender, said in a report shared with The Hacker News.

“This displays a legitimate Indeed login page, a calculated distraction designed to mislead the victim into thinking they are simply opening a CV. This social engineering tactic provides a window for the malware to operate undetected.”

Image Source: eSentire

The loader, per Bitdefender, also acts as a downloader for a next-stage backdoor DLL, while also establishing persistence on the host by means of a scheduled task. The newly retrieved DLL is then executed using Program Compatibility Assistant (pcalua.exe), a technique detailed by Trend Micro in March 2024.

The access afforded by the implant paves the way for lateral movement, allowing the threat actor to navigate the network, gather intelligence, and further escalate their access. But in what appears to be a major pivot from their established modus operandi, one such attack also led to the deployment of ransomware for the first time.

Cybersecurity

“This focused targeting can be interpreted as an attempt to inflict maximum damage with minimum effort,” Zugec said. “By encrypting the virtual machines hosted on the hypervisors, making them unbootable, RedCurl effectively disables the entire virtualized infrastructure, impacting all hosted services.”

The ransomware executable, besides employing the bring your own vulnerable driver (BYOVD) technique to disable endpoint security software, takes steps to gather system information prior to launching the encryption routine. What’s more, the ransom note dropped following encryption appears to be inspired by LockBit, HardBit, and Mimic groups.

“This practice of repurposing existing ransom note text raises questions about the origins and motivations of the RedCurl group,” Zugec said. “Notably, there is no known dedicated leak site (DLS) associated with this ransomware, and it remains unclear whether the ransom note represents a genuine extortion attempt or a diversion.”

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware

EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware

Recommended.

Oracle Q3 2025 Earnings: CEO Catz Calls AI A ‘Motivator’ For Cloud Adoption

Oracle Q3 2025 Earnings: CEO Catz Calls AI A ‘Motivator’ For Cloud Adoption

March 11, 2025
Mirai Variant Murdoc_Botnet Exploits AVTECH IP Cameras and Huawei Routers

Mirai Variant Murdoc_Botnet Exploits AVTECH IP Cameras and Huawei Routers

January 21, 2025

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio