RedCurl, the cyber-espionage group, is active again with new intrusion attacks after a hiatus of seven months. The group has updated its toolset to stay hidden and avoid being analyzed.

The group focuses on gathering valuable information using a combination of self-developed and publicly available programs. It does not seem to be financially motivated.

What has happened?

According to researchers, the group has made several tactical improvements to its toolset and has been observed targeting four companies this year, out of which one is the largest wholesale store located in Russia. 
  • In each attack, the group has shown extensive red teaming skills and was able to bypass antivirus detection using its own custom malware.
  • The group uses multiple hacking tools to breach its targets and steal internal corporate documents, such as staff records, court, legal files, and enterprise email history. 

Attack tactics

  • Hackers gain initial access via social engineering, perform reconnaissance with the new FSABIN tool, attain persistence, and move laterally in the network.
  • The group spends around two to six months between initial infection to the time data is stolen.

The RedCurl group

  • Active since November 2018, the RedCurl group has been associated with 30 attacks related to cyber espionage and document theft. However, its attacks stopped near the end of 2020.
  • The group attacked 14 organizations across multiple sectors such as insurance, consulting, construction, retail, legal, and finance.
  • The targeted entities were based in multiple countries, including the U.K, Germany, Russia, Canada, Ukraine, and Norway.


The RedCurl group is focused on espionage and collecting sensitive information from targeted entities. This stolen information can be used for further malicious activities or sold on the dark web. Therefore, organizations are suggested to deploy the right security measures, including encryption and multi-factor authentication to protect sensitive data.
Cyware Publisher