Corporate espionage specialists RedCurl return with improved tools

RedCurl's latest victims include one of Russia's largest wholesale companies.
(Getty Images)

A corporate espionage organization known as RedCurl that made waves before disappearing last year has resurfaced with a fresh batch of attacks and sharpened tools for the task, researchers at cybersecurity firm Group-IB said Thursday.

The group’s four known attacks since the beginning of 2021 include one against one of Russia’s largest wholesalers, which provides home, leisure and office goods, Group-IB found. Overall, the company concluded that RedCurl has been behind more than 30 attacks during a three-year span.

RedCurl’s tactical improvements after a seven-month absence include upgrades to most of its tools, such as more effective data encryption for its malware.

“Corporate cyber espionage is still a relatively rare and, in many ways, unique occurrence,” Group-IB’s report reads. “However, it is possible that the group’s success could lead to a new trend in cybercrime.”


Despite the rarity of corporate cyber espionage, Group-IB’s report on the RedCurl revival is the second tranche of research to publish this month alone about such groups. Trend Micro recently revealed an espionage outfit it named Void Balaur, which advertises its services under the name “Rockethack.”

Notably, both groups are Russian-speaking and have targeted victims within Russia as well as outside it. RedCurl actually twice attacked the Russian wholesale company, which Group-IB didn’t name.

Group-IB has not attributed the group’s origins to Russia despite its chosen language, and it’s rare for Russian hacking groups to conduct attacks on their home soil lest they run afoul of authorities there who have been accused of letting foreign-targeting hackers have free rein.

RedCurl has shown an interest in obtaining things like internal documents and staff records. The group is fond of spearphishing emails, and once in a network, has proven capable of staying there for two to six months.

“Targeted email campaigns made to look like they were sent by the victim’s HR department have become the group’s trademark,” Group-IB wrote.

Latest Podcasts