Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ RedCurl

🌐RedCurl

🌐 RedCurl is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 41 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1039) ↗
14Use cases
0Articles
41Techniques
0IOCs

About this actor (MITRE)

[RedCurl](https://attack.mitre.org/groups/G1039) is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.(Citation: group-ib_redcurl1) [RedCurl](https://attack.mitre.org/groups/G1039) is allegedly a Russian-speaking threat actor.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) The group’s operations typically start with spearphishing emails to gain initial access, then the group execut

Known aliases

RedCurl

Top techniques

T1003.001 · LSASS MemoryT1005 · Data from Local SystemT1020 · Automated Exfiltration

All other tracked techniques

T1027 · Obfuscated Files or InformationT1036.005 · Match Legitimate Resource Name or LocationT1039 · Data from Network Shared DriveT1046 · Network Service DiscoveryT1053.005 · Scheduled TaskT1056.002 · GUI Input CaptureT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1059.006 · PythonT1070.004 · File DeletionT1071.001 · Web ProtocolsT1080 · Taint Shared ContentT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1087.001 · Local AccountT1087.002 · Domain AccountT1087.003 · Email AccountT1102 · Web ServiceT1114.001 · Local Email CollectionT1119 · Automated CollectionT1199 · Trusted RelationshipT1202 · Indirect Command ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1218.011 · Rundll32T1537 · Transfer Data to Cloud AccountT1547.001 · Registry Run Keys / Startup FolderT1552.001 · Credentials In FilesT1552.002 · Credentials in RegistryT1555.003 · Credentials from Web BrowsersT1560.001 · Archive via UtilityT1564.001 · Hidden Files and DirectoriesT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1587.001 · Malware

Detection use cases (14)

RedCurl curl.exe upload to legitimate WebDAV/cloud-storage providers (signature exfiltration) AI · profile SΣ RedCurl ISO/IMG spearphish container → LNK → cmd/PowerShell stager AI · profile S 1Password vault export attempted MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match