Threat Actor Profile
High APT
Description

RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.(Citation: group-ib_redcurl1) RedCurl is allegedly a Russian-speaking threat actor.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.

Confidence Score
90%
Known Aliases
RedCurl
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (41)
T1005 - Data from Local System
Collection
T1039 - Data from Network Shared Drive
Collection
T1056.002 - GUI Input Capture
Collection
T1114.001 - Local Email Collection
Collection
T1119 - Automated Collection
Collection
T1560.001 - Archive via Utility
Collection
T1071.001 - Web Protocols
Command and Control
T1102 - Web Service
Command and Control
T1573.001 - Symmetric Cryptography
Command and Control
T1573.002 - Asymmetric Cryptography
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1552.001 - Credentials In Files
Credential Access
T1552.002 - Credentials in Registry
Credential Access
T1555.003 - Credentials from Web Browsers
Credential Access
T1027 - Obfuscated Files or Information
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1202 - Indirect Command Execution
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1564.001 - Hidden Files and Directories
Defense Evasion
T1046 - Network Service Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1087.001 - Local Account
Discovery
T1087.002 - Domain Account
Discovery
T1087.003 - Email Account
Discovery
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.005 - Visual Basic
Execution
T1059.006 - Python
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1020 - Automated Exfiltration
Exfiltration
T1537 - Transfer Data to Cloud Account
Exfiltration
T1199 - Trusted Relationship
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1080 - Taint Shared Content
Lateral Movement
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1587.001 - Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['RedCurl'],
 'created': '2024-09-23T21:32:19.337Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[RedCurl](https://attack.mitre.org/groups/G1039) is a threat '
                'actor active since 2018 notable for corporate espionage '
                'targeting a variety of locations, including Ukraine, Canada '
                'and the United Kingdom, and a variety of industries, '
                'including but not limited to travel agencies, insurance '
                'companies, and banks.(Citation: group-ib_redcurl1) '
                '[RedCurl](https://attack.mitre.org/groups/G1039) is allegedly '
                'a Russian-speaking threat actor.(Citation: '
                'group-ib_redcurl1)(Citation: group-ib_redcurl2) The group’s '
                'operations typically start with spearphishing emails to gain '
                'initial access, then the group executes discovery and '
                'collection commands and scripts to find corporate data. The '
                'group concludes operations by exfiltrating files to the C2 '
                'servers. ',
 'external_references': [{'external_id': 'G1039',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1039'},
                         {'description': 'Group-IB. (2020, August). RedCurl: '
                                         'The Pentest You Didn’t Know About. '
                                         'Retrieved August 9, 2024.',
                          'source_name': 'group-ib_redcurl1',
                          'url': 'https://www.group-ib.com/resources/research-hub/red-curl/'},
                         {'description': 'Group-IB. (2021, November). RedCurl: '
                                         'The Awakening. Retrieved August 14, '
                                         '2024.',
                          'source_name': 'group-ib_redcurl2',
                          'url': 'https://www.group-ib.com/resources/research-hub/red-curl-2/'}],
 'id': 'intrusion-set--82323c70-4186-4b61-94f5-b227c3b28e89',
 'modified': '2024-09-23T23:11:00.562Z',
 'name': 'RedCurl',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Joe Gumke, U.S. Bank'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (41)
Data from Local System
Collection
Data from Network Shared Drive
Collection
GUI Input Capture
Collection
Local Email Collection
Collection
Automated Collection
Collection
View All 41 TTPs
Back to Threat Actors
Dashboard Home