RedCurl
MITREUnknown
Unknown
Unknown
[RedCurl](https://attack.mitre.org/groups/G1039) is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.(Citation: group-ib_redcurl1) [RedCurl](https://attack.mitre.org/groups/G1039) is allegedly a Russian-speaking threat actor.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.
Tecniche Utilizzate (41)
| ID | ATT&CK | Tattiche |
|---|---|---|
| T1003.001 | LSASS Memory | - |
| T1005 | Data from Local System | - |
| T1020 | Automated Exfiltration | - |
| T1027 | Obfuscated Files or Information | - |
| T1036.005 | Match Legitimate Resource Name or Location | - |
| T1039 | Data from Network Shared Drive | - |
| T1046 | Network Service Discovery | - |
| T1053.005 | Scheduled Task | - |
| T1056.002 | GUI Input Capture | - |
| T1059.001 | PowerShell | - |
| T1059.003 | Windows Command Shell | - |
| T1059.005 | Visual Basic | - |
| T1059.006 | Python | - |
| T1070.004 | File Deletion | - |
| T1071.001 | Web Protocols | - |
Metadata
| ID: | 909 |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 16:00 |