In January 2025, the RedCurl APT group, also known as EarthKapre, launched a sophisticated cyber espionage campaign targeting law firms and corporate organizations. This advanced group focused on corporate espionage, carefully executing a multi-stage attack chain to steal sensitive corporate data. By utilizing legitimate tools for data exfiltration, the attackers were able to bypass conventional security measures, making their activities difficult to detect.
The attackers initiated the campaign using an Indeed-themed phishing PDF that contained a zip archive with a mountable ISO file.
When the victim opened the ISO file, they saw only a single SCR file disguised as a CV application. Once executed, the malicious SCR file triggered the EarthKapre loader, a hidden malware component called netutils.dll, which sideloaded and began the attack chain. This method enabled the attackers to bypass security controls, allowing them to execute their malware undetected.
The attack chain utilized sophisticated techniques, including string encryption via bcrypt.dll APIs to generate SHA256 hashes for AES key derivation.
As the malware progressed through various stages, it communicated with command and control servers hosted on Cloudflare Workers infrastructure. This communication allowed the attackers to retrieve additional payloads and exfiltrate sensitive data from the compromised systems. The attackers maintained a low profile by executing commands to collect data without triggering immediate suspicion.
During the reconnaissance phase, RedCurl deployed batch files to gather crucial system information from the victim’s machine. These files collected details on user accounts, installed software, system configurations, and network resources. The attackers also used Sysinternals Active Directory Explorer for domain enumeration, which helped them navigate the victim’s environment. To exfiltrate the stolen data, RedCurl used PowerShell commands to encrypt and archive it with 7-Zip, ultimately sending the data to cloud storage via PowerShell PUT requests. This meticulous process completed the attack chain, resulting in the theft of potentially valuable corporate data.
