In a sophisticated cyber espionage campaign discovered in January 2025, the RedCurl APT group (also known as EarthKapre) has been observed targeting law firms and corporate organizations with a focus on corporate espionage.The threat actors employ a multi-stage attack chain that leverages [legitimate tools](https://cybersecuritynews.com/pure-malware-tools/) for data exfiltration, making their activities difficult to detect using conventional security measures.The campaign was identified when the attackers used a legitimate Adobe executable (ADNotificationManager.exe) to sideload their malicious loader.This technique allowed them to bypass security controls while executing their [malware](https://cybersecuritynews.com/flexibleferret-malware-attacking-macos-users/) on target systems.The initial access vector involved an Indeed-themed phishing PDF that contained links to a zip archive with a mountable ISO file. .webp) Indeed-themed phishing pdf (Source — Esentire)Analysts at eSentire’s Threat Response Unit (TRU) [identified](https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt) that upon opening the mounted ISO file, victims would see only a single SCR file disguised as a CV application, which when executed would initiate the attack chain.’The victim sees a single file, ‘CV Applicant -*.scr’ which is the legitimate signed Adobe executable ‘ADNotificationManager.exe’. After the victim opens the file, the EarthKapre loader (netutils.dll) is side loaded,’ the report states.The multi-stage attack includes sophisticated string encryption techniques utilizing bcrypt.dll APIs to generate SHA256 hashes for AES key derivation. .webp) Attack chain (Source — Esentire)Each stage communicates with command and control servers hosted on [Cloudflare](https://cybersecuritynews.com/cloudflare-under-attack-mode-basic-guide/) Workers infrastructure, retrieving subsequent payloads and exfiltrating stolen data.**Reconnaissance and Exfiltration Techniques**———————————————-For reconnaissance and data collection, RedCurl deploys a batch file to %APPDATA%–Acquisition– that executes multiple system commands to gather information about user accounts, installed software, system configurations, and network resources.Particularly notable is their use of Sysinternals Active Directory Explorer for domain enumeration, as seen in the command: ‘temp7237–ad.exe -accepteula -snapshot ” temp7237–dmn.dat’.The attackers then leverage 7-Zip to archive and password-protect the collected data with commands like: ‘powershell -c ‘gci …exe -| foreach {if(($_.VersionInfo).InternalName -eq ‘7za’) {$syspack = $_.Fullname}};$a1=’x’;$a2=’-aoa’;$a3=’-p’+$env:ppass2;$a4=$env:util;$a5=’-o’+$env:tdir;-&$syspack $a1 $a2 $a3 $a4 $a5;’Final exfiltration occurs via PowerShell PUT requests to cloud storage provider ‘Tab Digital,’ completing the attack chain that begins with phishing and ends with the theft of potentially sensitive corporate data.******Are you from SOC/DFIR Teams? — Analyse Malware Incidents & get live Access with ANY.RUN -> [Start Now for Free](https://any.run/demo?utm_source=csn&utm_medium=article&utm_campaign=ti_feeds&utm_content=demo&utm_term=110325).******The post [RedCurl APT leveraging Active Directory Explorer -& 7-Zip To Archive Exfiltrated Data](https://cybersecuritynews.com/redcurl-apt-leveraging-active-directory-explorer/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 52 – Finance And Insurance
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 523 – Securities
Commodity Contracts
Other Financial Investments And Related Activities
NAICS: 51 – Information
TA0010 – Exfiltration
Associated Indicators: