Tuesday, May 6, 2025
Homecyber securityRedCurl Unleashes New Ransomware Targeting Hyper-V Servers Exclusively

RedCurl Unleashes New Ransomware Targeting Hyper-V Servers Exclusively

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers at Bitdefender have uncovered a significant evolution in the tactics of the RedCurl threat group, marking their first foray into ransomware deployment.

This new strain, dubbed QWCrypt, specifically targets Hyper-V servers, showcasing a sophisticated and highly targeted approach to cyberattacks.

Novel Ransomware Strain Emerges

The QWCrypt ransomware, previously undocumented, represents a departure from RedCurl’s historical focus on corporate espionage and data exfiltration.

- Advertisement - Google News

This UPX-packed Go executable employs a unique strategy, encrypting virtual machines hosted on hypervisors while deliberately excluding specific VMs that act as network gateways.

The ransomware’s configuration includes a hardcoded personal ID, likely corresponding to a unique RSA key pair, with the public key embedded within the malware.

According to the Report, this setup implies that the attackers maintain a matching private key for decryption purposes.

Sophisticated Deployment and Evasion Techniques

RedCurl’s attack vector remains consistent with their previous campaigns, utilizing social engineering and spear-phishing emails containing IMG files disguised as CV documents.

The group leverages DLL sideloading vulnerabilities in legitimate Adobe executables to initiate the infection chain.

RedCurl
DLL sideloading and order execution hijacking 

The ransomware deployment process involves a series of batch scripts tailored to the victim’s environment.

These scripts disable Windows Defender and other security solutions, demonstrating the attackers’ deep understanding of the target infrastructure.

The malware also employs Living Off The Land (LOTL) techniques, abusing legitimate system tools like pcalua.exe and rundll32.exe to evade detection.

This shift in RedCurl’s tactics raises critical questions about their motivations and operational objectives.

The highly targeted nature of the ransomware attack, focusing exclusively on Hyper-V servers while maintaining network gateway functionality, suggests a deliberate effort to confine the attack’s impact to IT departments.

Bitdefender recommends implementing a multilayered security approach, including network segmentation and enhanced endpoint protection.

Organizations should prioritize detection and response capabilities, focusing on behavioral analysis and anomaly detection to identify suspicious activities.

Additionally, implementing strict application control and hardening scripting environments can help mitigate Living-off-the-Land attacks.

As the threat landscape continues to evolve, this new ransomware strain serves as a stark reminder of the need for constant vigilance and adaptive cybersecurity strategies in the face of increasingly sophisticated threat actors.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...