The Russian-speaking hacking group RedCurl has taken a sharp turn in its attack strategy. Launching a ransomware campaign for the first time since its emergence in 2018. Known primarily for corporate espionage, the group has now been linked to a previously unseen ransomware strain called QWCrypt. Signaling a major shift in its operational playbook.
This surprising development was uncovered by Romanian cybersecurity firm Bitdefender, which documented the full attack chain in a new report. Unlike previous RedCurl campaigns focused on data theft and surveillance. This latest activity is designed to encrypt systems and cause direct disruption, especially by targeting virtualized infrastructures.
Historically, RedCurl—also known by aliases Earth Kapre and Red Wolf—has targeted businesses across Canada, Germany, the U.S., the U.K., and several other countries. Their operations were mainly centered on spear-phishing campaigns crafted around HR-related lures. These emails trick victims into opening fake resumes or cover letters that initiate a malware payload.
Earlier this year, cybersecurity firm Huntress highlighted RedCurl’s use of a simple backdoor called RedLoader in attacks on Canadian firms. This was followed in February by reports from eSentire, which revealed that RedCurl used PDF spam attachments disguised as CVs to deploy malware via a legitimate Adobe component: ADNotificationManager.exe.
The same deceptive technique appears in Bitdefender’s latest findings. Victims receive a mountable ISO file masquerading as a CV, which contains a malicious screensaver file (.SCR). Behind the scenes, this file is actually the Adobe binary used to sideload netutils.dll, the malware loader. Once executed, the loader launches a browser window to a real Indeed login page. A clever decoy to distract users while the malware silently operates.
The loader’s role doesn’t stop at deception. It also downloads a second-stage backdoor DLL and ensures persistence by creating a scheduled task. This DLL is then run using pcalua.exe, a legitimate Windows Program Compatibility Assistant tool. Another example of DLL side-loading, a stealth tactic noted by Trend Micro in 2024.
Once embedded in the network, RedCurl uses the malware to move laterally, map the system, and escalate privileges. But in a stark departure from their previous data-centric attacks. The group in one case deployed ransomware, likely to cripple critical infrastructure quickly.
According to Bitdefender’s Martin Zugec, RedCurl targeted virtual machines hosted on hypervisors, encrypting them and making them unbootable. This strategy, he says, aims to deliver maximum disruption with minimal effort. Effectively bringing down entire virtualized environments and the services they support.
The ransomware strain, dubbed QWCrypt, uses a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint defenses before beginning encryption. It also collects system data and drops a ransom note reminiscent of those used by LockBit, HardBit, and Mimic ransomware groups.
However, the authenticity of the ransom demand remains unclear. Bitdefender noted that there is no known dedicated leak site (DLS) associated with RedCurl’s ransomware operation. This raises questions: Is this a real extortion campaign, or is RedCurl experimenting with ransomware as a diversion or hybrid tactic?
Zugec suggests the reuse of ransom note text points to a possible copycat move or an opportunistic strategy rather than a full-scale shift in motive.
While RedCurl has long been on the radar of cybersecurity researchers for its corporate surveillance operations. Its entrance into the ransomware space could mark a troubling evolution. The deployment of QWCrypt hints that even sophisticated espionage actors may be adopting destructive tactics to expand their reach—or mask other goals.
With no dedicated leak site and no confirmation of ransom negotiations, it remains to be seen whether RedCurl’s ransomware campaign signals a lasting pivot or just a test run. What’s clear is that defenders need to remain vigilant: the lines between espionage and extortion are blurring, and threat actors like RedCurl are becoming more unpredictable.
