A covert cyber-espionage group known as RedCurl is now using ransomware in its latest attacks, marking a dramatic evolution in its strategy, according to new findings from cybersecurity firm Bitdefender.
RedCurl, also referred to as Earth Kapre or Red Wolf, has operated quietly since 2018, mainly targeting large enterprises across the U.S., Germany, Spain, and Mexico. Until now, the group focused on corporate espionage—stealing sensitive data without causing obvious disruption. But with the emergence of a new ransomware strain called QWCrypt, that approach appears to be changing.
Espionage Meets Ransomware: RedCurl’s New Hybrid Tactic
Historically, RedCurl favored stealth over chaos. The group used basic but effective tools to gain entry, move laterally, and exfiltrate data from corporate networks—without drawing attention. However, in its latest campaign, RedCurl has begun encrypting systems using QWCrypt ransomware. This move signals a potential pivot toward monetizing attacks or masking deeper infiltration efforts.
QWCrypt is no ordinary ransomware. Instead of encrypting individual user devices, it targets hypervisors—the backbone of virtualized IT environments. By encrypting entire virtual machines, RedCurl can disable large chunks of an organization’s infrastructure with a single hit. Interestingly, gateway systems are spared, allowing the rest of the network to remain reachable—just not functional.
Sophisticated Infection Methods and Precision Targeting
The attack begins with a phishing email disguised as a job application. The message contains an image file (IMG), which hides a Windows screensaver file (SCR). This SCR is actually a renamed Adobe executable vulnerable to DLL sideloading—a tactic that allows attackers to inject malicious code via a legitimate application.
Once launched, the malware loads a custom DLL that stealthily contacts a remote server, fetches additional payloads, and creates a scheduled task to maintain persistence. Victims are typically shown a fake login screen as the real attack unfolds in the background.
The ransomware’s selective targeting of infrastructure—not user endpoints—suggests a high degree of planning. Bitdefender notes that by sparing everyday systems and avoiding widespread disruptions, RedCurl likely aimed to keep the breach under the radar, delaying detection while IT teams scramble to respond.
No Extortion… Yet: What’s RedCurl Really After?
Unlike most ransomware gangs, RedCurl hasn’t made public ransom demands or published stolen data online. There’s no dark web leak site or public threats to shame victims. This behavior stands in stark contrast to financially motivated cybercriminals, who often rely on extortion and visibility to pressure payments.
Instead, RedCurl’s activities hint at an espionage-driven mission. Bitdefender suggests the group may be acting as mercenaries for hire, conducting highly targeted data theft campaigns. In this model, ransomware could serve as a smokescreen, distracting defenders while the real objective—stealing intellectual property or trade secrets—is quietly completed.
Another theory is that ransomware becomes a fallback strategy when clients don’t pay for exfiltrated data. If RedCurl operates on a contract basis and doesn’t receive its fee, encrypting the victim’s systems becomes a last-resort method of compensation.
Operating in the Shadows: Silent But Dangerous
RedCurl’s low-profile tactics point to a desire for secrecy. The absence of public communications doesn’t mean there’s no interaction with victims—it may just happen behind closed doors. Private negotiations, discreet data theft, and selective encryption all support a strategy built on subtlety rather than spectacle.
Bitdefender emphasizes that RedCurl’s long-term objectives remain murky. Despite years of activity, the group’s business model isn’t fully understood. What is clear, however, is that RedCurl continues to evolve—blending espionage, ransomware, and stealth in ways that make it a growing threat to global enterprises.
