RedCurl

RedCurl, also tracked as GOLD BLADE, Earth Kapre, and Red Wolf, is a financially motivated cybercriminal group that has conducted commercial espionage intrusions on behalf of clients since 2018, fitting a hack-for-hire model. Sophos reported that by mid-2025 the group had also deployed custom ransomware named QWCrypt in some compromises, suggesting possible independent monetization in addition to espionage. The group has conducted highly focused geographic campaigns and was reported targeting organizations in Russia, Germany, Ukraine, the United Kingdom, Slovenia, Canada, Australia, and the United States. RedCurl has used phishing emails with malicious files for initial access, historically targeting human resources personnel with resume- or CV-themed lures, and by mid-2025 was observed abusing recruitment platforms to deliver weaponized resumes. Reported tradecraft includes use of HTTP, HTTPS, and WebDAV for command-and-control communications; PowerShell and the Windows Command Prompt for execution; scheduled tasks for persistence; and Registry Run key persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run. The group has mimicked legitimate file names and scheduled task names such as MicrosoftCurrentupdatesCheck and MdMMaintenenceTask to mask malicious activity, and has also deleted files after execution. RedCurl has conducted host and environment reconnaissance, including collecting system information and network connection data, and has collected data from local disks of compromised hosts. For credential access, RedCurl used LaZagne to obtain passwords from files and web browsers. The group has used string encryption, encrypted data, Base64-encoded PowerShell commands, and PyArmor to obfuscate LaZagne execution; it also obfuscated downloaded files by renaming them as commonly used tools. Sophos also described GOLD BLADE using legitimately signed Adobe executables to side-load its custom RedLoader malware. RedLoader transmits host information to command-and-control infrastructure and executes PowerShell scripts to gather information about compromised Active Directory environments. In July 2025, Sophos reported a RedLoader infection chain in which a job-themed lure led to a ZIP archive containing a malicious LNK disguised as a PDF; the LNK launched conhost.exe, used WebDAV to retrieve a renamed signed Adobe ADNotificationManager.exe, and remotely side-loaded a malicious DLL named netutils.dll as RedLoader stage 1. That stage created a scheduled task named BrowserQE with a Base64-encoded computer name, downloaded a standalone stage 2 executable from Cloudflare Workers infrastructure, and executed it via PCALua.exe and conhost.exe. Sophos further reported that GOLD BLADE used a BYOVD chain with renamed Zemana drivers and modified Terminator EDR-killer tooling to evade detection. Known aliases: GOLD BLADE, Earth Kapre, Red Wolf.