RedCurl

APT / StateG1039
OriginRússia
Techniques (MITRE ATT&CK)41
SourceMITRE ATT&CK

Vexday analysis

RedCurl é um grupo APT de origem russa, ativo desde 2018 e identificado no MITRE ATT&CK como G1039, com 41 técnicas documentadas. O grupo é notório por operações de espionagem corporativa direcionadas a diferentes países — incluindo Ucrânia, Canadá e Reino Unido — e a setores variados, como agências de viagem, seguradoras e bancos. As operações geralmente se iniciam com e-mails de spearphishing para obter acesso inicial, seguidos pela execução de comandos e scripts de descoberta e coleta de dados corporativos, encerrando-se com a exfiltração de arquivos para servidores de comando e controle (C2).

Techniques (MITRE ATT&CK) 41

How the group operates, mapped to the MITRE ATT&CK matrix and organized by the phases of an attack.

Resource development
Malware
Initial access
Trusted RelationshipSpearphishing AttachmentSpearphishing Link
Execution
Scheduled TaskPowerShellWindows Command ShellVisual BasicPythonMalicious LinkMalicious File
Persistence
Registry Run Keys / Startup Folder
Credential access
LSASS MemoryCredentials In FilesCredentials in RegistryCredentials from Web Browsers
Discovery
Network Service DiscoverySystem Information DiscoveryFile and Directory DiscoveryLocal AccountDomain AccountEmail Account
Lateral movement
Taint Shared Content
Collection
Data from Local SystemData from Network Shared DriveGUI Input CaptureLocal Email CollectionAutomated CollectionArchive via Utility
Command and control
Web ProtocolsWeb ServiceSymmetric CryptographyAsymmetric Cryptography
Exfiltration
Automated ExfiltrationTransfer Data to Cloud Account
stealth
Obfuscated Files or InformationMatch Legitimate Resource Name or LocationFile DeletionIndirect Command ExecutionRundll32Hidden Files and Directories

Exploited vulnerabilities

No CVEs attributed to this group in public sources (MITRE ATT&CK). Absence of attribution does not mean absence of activity.

RedCurl uses real techniques and exploits real flaws. TrueHacking's AI Autonomous Pentest simulates these attacks against your infrastructure and brings more security to your application.

Explore the AI Autonomous Pentest →