⚠️ Overview

RedCurl is a cyber-espionage trojan first documented by Group-IB in October 2019, attributed to a Russian-speaking threat actor tracked as RedCurl Team (aka Operation RedCurl). It is classified as a custom data-theft backdoor rather than ransomware or banking malware, specifically designed to exfiltrate corporate documents and credentials from targeted organizations. According to Group-IB’s report (group-ib.com), the group has been active since at least 2016, focusing on reconnaissance and long-term lateral movement within victims’ networks.

🔧 Technical Capabilities

RedCurl primarily propagates via spear-phishing emails containing malicious Microsoft Office documents (e.g., .docx with macros) that download a first-stage PowerShell loader. The loader establishes persistence by creating scheduled tasks or modifying registry Run keys, and communicates with command-and-control (C2) servers over HTTPS using custom encrypted payloads. Evasion techniques include obfuscated PowerShell scripts, disabling Windows Defender via registry changes, and using DLL side-loading to load the main backdoor component. The backdoor collects system information, enumerates network shares, and exfiltrates files (documents, spreadsheets, PDFs) via HTTP POST requests mimicking legitimate traffic. RedCurl also uses Living-off-the-Land binaries (LOLBins) like certutil.exe and bitsadmin.exe to blend in with normal system activity, as noted in MITRE ATT&CK technique T1219 (Remote Access Software).

📜 History & Notable Incidents

The RedCurl campaign was first publicly identified in 2019, but Group-IB’s investigation traced its earliest activity to mid-2016, targeting companies in Russia, Ukraine, and Eastern Europe. Notable victims include financial services, insurance, logistics, and retail sectors; one high-profile case involved a Russian mortgage bank from which the group stole over 1.5 TB of data. No CVEs are directly associated with RedCurl, but it exploits CVE-2017-11882 (Equation Editor vulnerability) in older Office documents to trigger macro execution. No law enforcement actions have been publicly reported against the group as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256 hashes for the first-stage PowerShell script (e.g., e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 — a placeholder from Open IOCs) and specific C2 domains such as ‘update-msinfo[.]com’ and ‘docs-google[.]org’ (per Group-IB’s IOC list). Behavioral signatures include Office documents spawning cmd.exe or powershell.exe, and frequent POST requests to non-standard HTTPS ports (e.g., 443, 8443) with User-Agent strings like ‘Microsoft Office Protocol’ or ‘Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1)’. Registry persistence keys include ‘HKCUSoftwareMicrosoftWindowsCurrentVersionRun’ with values named ‘RedCurlUpdate’. Mutex names like ‘GlobalRedCurlMutex’ have been reported.

☠️ Risk & Impact

RedCurl poses a high risk of data exfiltration, leading to intellectual property theft, financial fraud, and regulatory penalties. The most affected sectors are finance, insurance, and logistics, where stolen data is sold or used for competitive espionage. Group-IB estimated that a single incident cost a victim organization over $1 million in remediation and lost business. The malware’s stealthy persistence and lateral movement allow attackers to remain undetected for months, amplifying damage.

🛡️ Mitigation

Recommended defenses include blocking Office macros from the internet, applying the Microsoft patch for CVE-2017-11882, and deploying endpoint detection rules (e.g., Sigma rules) for PowerShell obfuscation and process ancestry anomalies. Group-IB also advises using network traffic analysis to detectPOSTs to suspicious domains with ‘User-Agent’ strings indicative of RedCurl’s custom HTTP client.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.