Bitdefender researchers have released the first documented analysis of a ransomware campaign tied to the RedCurl group, a threat actor previously known for cyberespionage activities. The ransomware, dubbed “QWCrypt” due to the presence of ‘qwc’ in its executable file, is a previously unseen strain that differs from known ransomware families in its design and deployment tactics.
RedCurl, also known as Earth Kapre or Red Wolf, has typically operated under the radar since 2018, focusing on data theft through highly targeted operations. Their pivot to ransomware represents a significant development in the group’s modus operandi. Bitdefender’s investigation raises more questions than answers about the group’s underlying motivations, suggesting that RedCurl may be shifting from espionage to financial extortion or blending both approaches.
While earlier assessments labelled RedCurl as a cyberespionage group, Bitdefender’s findings suggest the evidence supporting this classification is inconclusive. The group’s operations have involved a wide geographical range of victims, including the US, Germany, Spain, and Mexico, as well as reports of targets in Russia. This diversity is unusual for state-sponsored actors, and there has been no prior indication of the group attempting to sell or ransom exfiltrated data, making their latest move even more curious.
Speculation over RedCurl’s operational model
Two hypotheses have emerged regarding RedCurl’s current strategy. One possibility is that the group functions as a cyber mercenary-for-hire, executing operations on behalf of clients. In this model, ransomware may be used as a smokescreen to obscure more focused data theft missions. If clients fail to pay for the stolen data, ransomware becomes a fallback option to monetise access.
An alternative theory is that RedCurl aims to keep a low profile by negotiating directly with victims, avoiding public ransom notes or leak sites. Bitdefender points to the group’s use of hypervisor encryption—rather than targeting endpoints—as evidence of this discreet strategy. The choice to leave network gateways untouched while crippling virtual machines suggests a desire to limit disruption to IT teams only, reducing the chance of alerting law enforcement or attracting attention.
This theory aligns with findings from Bitdefender’s recent Cybersecurity Assessment Reports. In 2023, 42% of respondents admitted facing pressure to hide security breaches—a figure that has increased in 2024, underscoring the appeal of quiet extortion tactics for ransomware actors.
Technical overview of QWCrypt ransomware campaign
RedCurl’s attack method begins with phishing emails containing IMG files disguised as CV documents. When opened, Windows mounts these files as virtual drives, revealing a screensaver file titled “CV APPLICANT 7802-91542.SCR.” This file is actually a renamed Adobe executable vulnerable to DLL sideloading, allowing a malicious library to be loaded when executed.
The malicious DLL launches a browser window showing a real Indeed login page—an attempt to distract the user—while also acting as a downloader to fetch additional payloads. The final payload is saved to the user’s application data folder and is executed using scheduled tasks and a series of native Windows tools in a technique known as Living-off-the-Land (LOTL). This approach leverages legitimate utilities like pcalua.exe, rundll32.exe, and shell32.dll to conceal the attack.
After establishing access, RedCurl employs tools such as PowerShell, WMI, and a modified version of wmiexec to move laterally across the network. These tools are commonly used in penetration testing, but RedCurl modifies them to evade detection by bypassing traditional monitoring systems. In some cases, the group also uses “Chisel”, a tunnelling tool suspected to facilitate remote desktop access.
Unlike traditional ransomware groups that target all endpoints, RedCurl focused exclusively on hypervisors. Their scripts included detailed information about the environment and avoided encrypting virtual machines responsible for maintaining network connectivity. This method allowed RedCurl to cause maximum disruption with minimal visibility.
Detailed script execution and file encryption
The ransomware was delivered via an encrypted 7-Zip archive, unpacked using a password-protected extraction command. Scripts first disabled endpoint protection tools, including Windows Defender and other well-known antivirus programs. The batch files also referenced Term.exe, a known method to exploit vulnerable drivers to disable security defences.
Once defences were down, a second script executed the main encryption routine. The ransomware executable, rbcw.exe, was run twice on the host and twice on Hyper-V virtual machines, ensuring coverage and reliability. A unique key passed during execution enabled encryption and unlocked the ransomware’s configuration file, which contained the ransom note.
Interestingly, the ransom note itself appeared to be a composite of messages from other ransomware groups, including LockBit and HardBit, raising questions about whether RedCurl is adopting copycat tactics or using these elements to confuse attribution. There is currently no known leak site linked to the group.
Files are encrypted with the ChaCha20 or AES algorithm, and the ransomware is capable of selective encryption, allowing the attackers to balance speed and impact. Certain files and directories—such as those linked to security software and operating system files—were deliberately excluded to maintain system stability and delay detection.
Ongoing risks and recommendations
Bitdefender stresses that RedCurl’s move into ransomware is a calculated and refined progression in their approach. Their operations are technically advanced, highly targeted, and potentially aligned with discreet extortion tactics rather than mass disruption.
To protect against similar threats, Bitdefender recommends organisations adopt a multilayered security strategy, monitor for LOTL abuse, and implement strict control over scripting environments and admin privileges. Backups should be immutable and isolated, with recovery processes regularly tested.
The full technical breakdown, including Indicators of Compromise (IoCs), is available on Bitdefender’s website. Researchers are encouraged to further examine this evolving threat actor.
