RedCurl hacking group deploys QWCrypt malware in its initial ransomware campaign
The hacking group RedCurl has been linked to a ransomware campaign for the first time, signaling a shift in its usual corporate espionage tactics. Researchers discovered the group deploying a new ransomware strain called QWCrypt, marking a significant change in its operations.
RedCurl, also known as Earth Kapre and Red Wolf, has been active since at least 2018, primarily targeting organizations in Canada, Germany, Norway, the United Kingdom, the United States and other countries. The attack sequence involves spear-phishing emails with HR-themed lures, using malicious PDFs and ISO files to sideload malware through a legitimate Adobe executable. Once executed, the malware establishes persistence, allowing RedCurl to move laterally across networks, escalate privileges and now, for the first time, deploy ransomware.
The ransomware encrypts virtual machines, rendering entire infrastructures inoperable, while its ransom note appears to mimic those of well-known ransomware groups like LockBit and HardBit. However, with no dedicated leak site linked to the attack, experts remain uncertain whether the ransom demand is genuine or a deception tactic.
RansomHub’s security evasion tool, EDRKillShifter, exploits vulnerabilities to disable EDR software
Researchers have linked attacks from three different cybercrime groups by tracking the use of RansomHub’s security evasion tool, EDRKillShifter. Originally designed for RansomHub’s ransomware-as-a-service (RaaS) affiliates, EDRKillShifter exploits vulnerable drivers to disable endpoint detection and response (EDR) software.
The investigation uncovered a threat actor, dubbed QuadSwitcher, who used the tool in attacks attributed to RansomHub, Play, Medusa and BianLian. By analyzing shared EDRKillShifter samples and command-and-control servers, researchers confirmed the connection between these groups. The growing use of EDR killers highlights a shift in ransomware tactics, as attackers increasingly adopt techniques like bring your own vulnerable driver (BYOVD) to bypass security defenses.
While RansomHub is one of the few RaaS groups to offer an EDR killer to affiliates, other gangs, like Embargo, have also developed similar tools. Since these attacks require administrative access, monitoring for vulnerable drivers can help organizations detect and prevent EDR bypass attempts.
Chinese threat actor FamousSparrow uses SparrowDoor backdoor to attack Mexican and U.S. organizations
The Chinese threat actor FamousSparrow has been linked to cyberattacks targeting a U.S. trade group and a Mexican research institute, deploying its SparrowDoor backdoor and ShadowPad malware.
It is the first time the group has used ShadowPad, a tool commonly associated with Chinese state-sponsored attackers. Researchers reported that two new versions of SparrowDoor were observed, including a modular variant with improved command execution capabilities.
The attack involved exploiting an outdated Windows Server and Microsoft Exchange Server to deploy a web shell, which facilitated the installation of the malware. SparrowDoor's modular version supports multiple functions, such as keystroke logging, file transfer, process manipulation and remote desktop capture, highlighting the group's ongoing development efforts.
FBI warning: Fake file converters are stealing information and deploying ransomware on personal devices
The FBI has issued a warning about fake online document converters being used to steal personal information and, in severe cases, deploy ransomware on victims' devices.
This alert was shared by the FBI Denver field office after an increase in reports of such scams targeting unsuspecting users. Cybercriminals create deceptive websites that claim to offer free file conversion or merging services but instead deliver malware to users' computers. While these tools may appear to work as promised, the resulting files can contain hidden malware that grants remote access to attackers.
In addition to malware, uploaded documents can be scraped for sensitive data such as names, passwords, cryptocurrency seeds and banking information. Researchers have identified and analyzed malicious sites distributing malware under the guise of document converters, sometimes promoted through Google ads.
Fake Semrush Google Ads designed to steal Google account credentials of SEO professionals
A new phishing campaign is targeting SEO professionals with fake Semrush Google Ads designed to steal Google account credentials. Semrush is a widely used SaaS platform that provides tools for SEO, online advertising, content marketing and competitive research, helping businesses optimize their digital presence.
Cybercriminals, believed to be a Brazilian group, are specifically after Google Ads accounts to launch further malvertising attacks. The attackers create phishing sites mimicking Semrush, using similar domain names but with different top-level domains, and force users to log in via “Log in with Google.” Once credentials are entered, the attackers gain access to sensitive business data linked to Google Analytics and Google Search Console.
Another ongoing phishing campaign is leveraging fake DeepSeek ads in Google search results to deliver infostealing malware. Cybercriminals have spoofed the Chinese AI company DeepSeek to trick users into downloading a Trojan that steals sensitive data, particularly targeting cryptocurrency wallets. Researchers identified that the campaign uses Google-sponsored search results to direct victims to malicious sites, where clicking the download link triggers the Heracles MSIL Trojan.
