Stealth Attack: EarthKapre Leverages Cloud and DLL Sideloading for Data Exfiltration
Summary:
In January 2025, the eSentire Threat Response Unit (TRU) observed the use of a legitimate Adobe executable to sideload the EarthKapre/RedCurl loader. RedCurl APT is a highly sophisticated group known for targeting private-sector organizations with a focus on corporate data theft and persistence. This attack targeted an organization in the legal services industry. Initial access was achieved when the victim opened an Indeed CV/Cover letter-themed spam PDF from a spam email. The PDF contains a link to download a zip archive, which contains a mountable iso (img) file. Once the victim opens the img file, it is mounted to an external drive letter, e.g. D: and opens in File Explorer. The victim is shown a single file, “CV Applicant *.scr” which is actually a legitimate signed Adobe executable. After the victim opens the file, the RedCurl loader is sideloaded. This attack has multiple stages following initial access. When the final stage was executed, TRU observed EarthKapre executing reconnaissance commands and tools like SysInternals Active Directory Explorer, the usage of 7-Zip to password protect and archive the collected data, and exfiltration to cloud storage provider “Tab Digital” via PowerShell PUT request.
Security Officer Comments:
This attack can be broken down into three stages: the downloader setup stage, the payload execution stage, and the reconnaissance and exfiltration stage. eSentire researchers were able to reverse engineer the decryption process using a Python script, demonstrating how the payload is extracted and written to disk. Once inside the target’s environment, RedCurl/EarthKapre shifts its focus to data collection and exfiltration of information including user account details, system information, disk space and antivirus products, and active directory snapshots password-protected data archiving (7-Zip). An interesting aspect of this campaign is its reliance on Cloudflare Workers to host C2 infrastructure to gain anonymity in exchange for a limit of requests per day through the free tier.
The group's deployment of a multi-stage attack, characterized by intricate encryption and staged payload delivery, underscores the challenge of organizations defending against it. The use of a scheduled task, particularly one named "BrowserOSR-" with a Base64 encoded computer name, demonstrates a deliberate attempt at blending in while maintaining persistence, which adheres to their previously observed attack objectives. This campaign emphasizes the need for a multi-layered security approach that moves beyond traditional signature-based detection and embraces behavioral analysis, advanced network monitoring, and proactive threat intelligence to effectively defend against sophisticated, evasion-focused campaigns.
Suggested Corrections:
IOCs are available here.
Behavioral Monitoring: Defenders can turn to behavioral monitoring to detect anomalous use of LOLBins like pcalua.exe, unusual scheduled task creation, and suspicious network communication patterns, even to legitimate domains like Cloudflare Workers and Tab Digital.
Network Traffic Analysis: Deep packet inspection and analysis are crucial to identify subtle indicators of malicious activity, even within seemingly legitimate traffic flows. Monitoring for unusual PowerShell PUT requests and traffic to unconventional cloud storage services used for C2 is vital.
Endpoint Security: Robust endpoint detection and response (EDR) solutions are essential to detect and respond to malicious activities occurring on endpoints, including the execution of LOLBins and data collection activities.
Organizations can make APT groups’ lives more difficult. Here’s how:
https://securityonline.info/stealth-attack-earthkapre-leverages-cloud-and-dll-sideloading-for-data-exfiltration/
https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt
In January 2025, the eSentire Threat Response Unit (TRU) observed the use of a legitimate Adobe executable to sideload the EarthKapre/RedCurl loader. RedCurl APT is a highly sophisticated group known for targeting private-sector organizations with a focus on corporate data theft and persistence. This attack targeted an organization in the legal services industry. Initial access was achieved when the victim opened an Indeed CV/Cover letter-themed spam PDF from a spam email. The PDF contains a link to download a zip archive, which contains a mountable iso (img) file. Once the victim opens the img file, it is mounted to an external drive letter, e.g. D: and opens in File Explorer. The victim is shown a single file, “CV Applicant *.scr” which is actually a legitimate signed Adobe executable. After the victim opens the file, the RedCurl loader is sideloaded. This attack has multiple stages following initial access. When the final stage was executed, TRU observed EarthKapre executing reconnaissance commands and tools like SysInternals Active Directory Explorer, the usage of 7-Zip to password protect and archive the collected data, and exfiltration to cloud storage provider “Tab Digital” via PowerShell PUT request.
Security Officer Comments:
This attack can be broken down into three stages: the downloader setup stage, the payload execution stage, and the reconnaissance and exfiltration stage. eSentire researchers were able to reverse engineer the decryption process using a Python script, demonstrating how the payload is extracted and written to disk. Once inside the target’s environment, RedCurl/EarthKapre shifts its focus to data collection and exfiltration of information including user account details, system information, disk space and antivirus products, and active directory snapshots password-protected data archiving (7-Zip). An interesting aspect of this campaign is its reliance on Cloudflare Workers to host C2 infrastructure to gain anonymity in exchange for a limit of requests per day through the free tier.
The group's deployment of a multi-stage attack, characterized by intricate encryption and staged payload delivery, underscores the challenge of organizations defending against it. The use of a scheduled task, particularly one named "BrowserOSR-" with a Base64 encoded computer name, demonstrates a deliberate attempt at blending in while maintaining persistence, which adheres to their previously observed attack objectives. This campaign emphasizes the need for a multi-layered security approach that moves beyond traditional signature-based detection and embraces behavioral analysis, advanced network monitoring, and proactive threat intelligence to effectively defend against sophisticated, evasion-focused campaigns.
Suggested Corrections:
IOCs are available here.
Behavioral Monitoring: Defenders can turn to behavioral monitoring to detect anomalous use of LOLBins like pcalua.exe, unusual scheduled task creation, and suspicious network communication patterns, even to legitimate domains like Cloudflare Workers and Tab Digital.
Network Traffic Analysis: Deep packet inspection and analysis are crucial to identify subtle indicators of malicious activity, even within seemingly legitimate traffic flows. Monitoring for unusual PowerShell PUT requests and traffic to unconventional cloud storage services used for C2 is vital.
Endpoint Security: Robust endpoint detection and response (EDR) solutions are essential to detect and respond to malicious activities occurring on endpoints, including the execution of LOLBins and data collection activities.
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://securityonline.info/stealth-attack-earthkapre-leverages-cloud-and-dll-sideloading-for-data-exfiltration/
https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt