Redcurl Actors New Ransomware Exclusively Attacking Hyper-V Servers

When victims open these attachments, Windows automatically mounts the IMG file as a virtual drive, displaying a file named “CV APPLICANT 7802-91542.SCR” that appears legitimate but harbors malicious intent. The malware establishes persistence through a scheduled task named “\BrowserSpec\BrowserSpec_” that executes the payload indirectly through a chain of legitimate Windows utilities—a classic example of Living Off The Land techniques. The sophisticated targeting strategy creates a situation where victims maintain network connectivity but cannot access their virtualized infrastructure, facilitating potential discreet ransom negotiations. This targeted approach marks a significant evolution in ransomware tactics, as the malware focuses exclusively on hypervisors rather than encrypting all endpoint devices, creating maximum damage with minimum effort. The analysis reveals a sophisticated operation that demonstrates deep understanding of virtualized environments and careful targeting, setting it apart from conventional ransomware campaigns. The malware, named QWCrypt based on a ‘qwc’ self-reference within the executable, is being deployed by the RedCurl threat actor group, also known as Earth Kapre or Red Wolf. When the victim clicks on the SCR file (which is actually a renamed executable), it loads a malicious netutils.dll that initiates the attack chain while simultaneously distracting the victim by opening a legitimate Indeed login page in their browser. Unlike traditional ransomware that encrypts all endpoints, QWCrypt specifically targets hypervisors, effectively disabling entire virtualized infrastructures while deliberately preserving network gateways. A sophisticated new phishing platform named Lucid has emerged as a significant cybersecurity threat, targeting 169 entities across 88 countries globally. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This command instructs the malware to encrypt Hyper-V virtual machines while specifically excluding network gateways, demonstrating the attackers’ familiarity with the target infrastructure. A new ransomware strain has been discovered targeting virtualized environments, specifically Microsoft Hyper-V servers. After gaining initial access and establishing persistence, the attackers deploy the ransomware through custom-crafted batch files specifically tailored to the victim’s environment. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Bitdefender researchers identified this previously undocumented ransomware and noted that it represents a significant tactical shift for RedCurl. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. This group has been active since 2018 but has historically maintained a low profile, relying on Living-off-the-Land techniques for corporate espionage and data exfiltration operations. Initial access is gained through sophisticated phishing emails containing IMG files disguised as CV documents.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 28 Mar 2025 09:50:14 +0000