RedCurl Shifts from Espionage to Ransomware with First-Ever QWCrypt Deployment

The Russian-speaking hacking group called RedCurl has been linked to a ransomware campaign for the first time, marking a departure in the threat actor's tradecraft.
The activity, observed by Romanian cybersecurity company Bitdefender, involves the deployment of a never-before-seen ransomware strain dubbed QWCrypt.
RedCurl, also called Earth Kapre and Red Wolf, has a history of orchestrating corporate espionage attacks aimed at various entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States. It's known to be active since at least November 2018.
Attack chains documented by Group-IB in 2020 entailed the use of spear-phishing emails bearing Human Resources (HR)-themed lures to activate the malware deployment process. Earlier this January, Huntress detailed attacks mounted by the threat actor targeting several organizations in Canada to deploy a loader dubbed RedLoader with "simple backdoor capabilities."
Then last month, Canadian cybersecurity company eSentire revealed RedCurl's use of spam PDF attachments masquerading as CVs and cover letters in phishing messages to sideload the loader malware using the legitimate Adobe executable "ADNotificationManager.exe."
The attack sequence detailed by Bitdefender traces the same steps, using mountable disk image (ISO) files disguised as CVs to initiate a multi-stage infection procedure. Present within the disk image is a file that mimics a Windows screensaver (SCR) but, in reality, is the ADNotificationManager.exe binary that's used to execute the loader ("netutils.dll") using DLL side-loading.
"After execution, the netutils.dll immediately launches a ShellExecuteA call with the open verb, directing the victim's browser to https://secure.indeed.com/auth," Martin Zugec, technical solutions director at Bitdefender, said in a report shared with The Hacker News.
"This displays a legitimate Indeed login page, a calculated distraction designed to mislead the victim into thinking they are simply opening a CV. This social engineering tactic provides a window for the malware to operate undetected."
![]() |
Image Source: eSentire |
The loader, per Bitdefender, also acts as a downloader for a next-stage backdoor DLL, while also establishing persistence on the host by means of a scheduled task. The newly retrieved DLL is then executed using Program Compatibility Assistant (pcalua.exe), a technique detailed by Trend Micro in March 2024.
The access afforded by the implant paves the way for lateral movement, allowing the threat actor to navigate the network, gather intelligence, and further escalate their access. But in what appears to be a major pivot from their established modus operandi, one such attack also led to the deployment of ransomware for the first time.
"This focused targeting can be interpreted as an attempt to inflict maximum damage with minimum effort," Zugec said. "By encrypting the virtual machines hosted on the hypervisors, making them unbootable, RedCurl effectively disables the entire virtualized infrastructure, impacting all hosted services."
The ransomware executable, besides employing the bring your own vulnerable driver (BYOVD) technique to disable endpoint security software, takes steps to gather system information prior to launching the encryption routine. What's more, the ransom note dropped following encryption appears to be inspired by LockBit, HardBit, and Mimic groups.
"This practice of repurposing existing ransom note text raises questions about the origins and motivations of the RedCurl group," Zugec said. "Notably, there is no known dedicated leak site (DLS) associated with this ransomware, and it remains unclear whether the ransom note represents a genuine extortion attempt or a diversion."
EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware
Microsoft fixes printing issues caused by January Windows updates
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalCross Site Scripting (Persistent) - Prime
HighOut of Band XSS
InformationalObsolete Content Security Policy (CSP) Header Found
HighSQL Injection
MediumELMAH Information Leak
Free online web security scanner