CINXE.COM

RedCurl, Group G1039 | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>RedCurl, Group G1039 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/groups/">Groups</a></li> <li class="breadcrumb-item">RedCurl</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> RedCurl </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/groups/G1039">RedCurl</a> is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> <a href="/groups/G1039">RedCurl</a> is allegedly a Russian-speaking threat actor.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> The group鈥檚 operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers. </p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">ID:&nbsp;</span>G1039 </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Contributors</span>: Joe Gumke, U.S. Bank </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Version</span>: 1.0 </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Created:&nbsp;</span>23 September 2024 </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Last Modified:&nbsp;</span>23 September 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G1039" href="/versions/v16/groups/G1039/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G1039" href="/versions/v16/groups/G1039/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK<sup>&reg;</sup> Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/groups/G1039/G1039-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/theme/images/external-site-dark.jpeg"></a> <script src="/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G1039/G1039-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1087">T1087</a> </td> <td> <a href="/techniques/T1087/001">.001</a> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/001">Local Account</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has collected information about local accounts.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1087/002">.002</a> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has collected information about domain accounts using SysInternal鈥檚 AdExplorer functionality .<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1087/003">.003</a> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/003">Email Account</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has collected information about email accounts.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1071">T1071</a> </td> <td> <a href="/techniques/T1071/001">.001</a> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used HTTP, HTTPS and Webdav protocls for C2 communications.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1560">T1560</a> </td> <td> <a href="/techniques/T1560/001">.001</a> </td> <td> <a href="/techniques/T1560">Archive Collected Data</a>: <a href="/techniques/T1560/001">Archive via Utility</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has downloaded 7-Zip to decompress password protected archives.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl鈥檚 Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024."data-reference="trendmicro_redcurl"><sup><a href="https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1119">T1119</a> </td> <td> <a href="/techniques/T1119">Automated Collection</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used batch scripts to collect data.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1020">T1020</a> </td> <td> <a href="/techniques/T1020">Automated Exfiltration</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used batch scripts to exfiltrate data.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1547">T1547</a> </td> <td> <a href="/techniques/T1547/001">.001</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has established persistence by creating entries in <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code>.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1059">T1059</a> </td> <td> <a href="/techniques/T1059/001">.001</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used PowerShell to execute commands and to download malware.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl鈥檚 Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024."data-reference="trendmicro_redcurl"><sup><a href="https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/003">.003</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used the Windows Command Prompt to execute commands.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl鈥檚 Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024."data-reference="trendmicro_redcurl"><sup><a href="https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/005">.005</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/005">Visual Basic</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used VBScript to run malicious files.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/006">.006</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/006">Python</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used a Python script to establish outbound communication and to execute commands using SMB port 445.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl鈥檚 Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024."data-reference="trendmicro_redcurl"><sup><a href="https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1555">T1555</a> </td> <td> <a href="/techniques/T1555/003">.003</a> </td> <td> <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/003">Credentials from Web Browsers</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> used <a href="/software/S0349">LaZagne</a> to obtain passwords from web browsers.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1005">T1005</a> </td> <td> <a href="/techniques/T1005">Data from Local System</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has collected data from the local disk of compromised hosts.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1039">T1039</a> </td> <td> <a href="/techniques/T1039">Data from Network Shared Drive</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has collected data about network drives.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1587">T1587</a> </td> <td> <a href="/techniques/T1587/001">.001</a> </td> <td> <a href="/techniques/T1587">Develop Capabilities</a>: <a href="/techniques/T1587/001">Malware</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has created its own tools to use during operations.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Antoniuk, D. (2023, July 17). RedCurl hackers return to spy on 'major Russian bank,' Australian company. Retrieved August 9, 2024."data-reference="therecord_redcurl"><sup><a href="https://therecord.media/redcurl-hackers-russian-bank-australian-company" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1114">T1114</a> </td> <td> <a href="/techniques/T1114/001">.001</a> </td> <td> <a href="/techniques/T1114">Email Collection</a>: <a href="/techniques/T1114/001">Local Email Collection</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has collected emails to use in future phishing campaigns.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1573">T1573</a> </td> <td> <a href="/techniques/T1573/001">.001</a> </td> <td> <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used AES-128 CBC to encrypt C2 communications.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1573/002">.002</a> </td> <td> <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/002">Asymmetric Cryptography</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used HTTPS for C2 communication.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1083">T1083</a> </td> <td> <a href="/techniques/T1083">File and Directory Discovery</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has searched for and collected files on local and network drives.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Antoniuk, D. (2023, July 17). RedCurl hackers return to spy on 'major Russian bank,' Australian company. Retrieved August 9, 2024."data-reference="therecord_redcurl"><sup><a href="https://therecord.media/redcurl-hackers-russian-bank-australian-company" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1564">T1564</a> </td> <td> <a href="/techniques/T1564/001">.001</a> </td> <td> <a href="/techniques/T1564">Hide Artifacts</a>: <a href="/techniques/T1564/001">Hidden Files and Directories</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> added the "hidden" file attribute to original files, manipulating victims to click on malicious LNK files.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1070">T1070</a> </td> <td> <a href="/techniques/T1070/004">.004</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has deleted files after execution.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl鈥檚 Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024."data-reference="trendmicro_redcurl"><sup><a href="https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1202">T1202</a> </td> <td> <a href="/techniques/T1202">Indirect Command Execution</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used pcalua.exe to obfuscate binary execution and remote connections.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl鈥檚 Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024."data-reference="trendmicro_redcurl"><sup><a href="https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1056">T1056</a> </td> <td> <a href="/techniques/T1056/002">.002</a> </td> <td> <a href="/techniques/T1056">Input Capture</a>: <a href="/techniques/T1056/002">GUI Input Capture</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> prompts the user for credentials through a Microsoft Outlook pop-up.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1036">T1036</a> </td> <td> <a href="/techniques/T1036/005">.005</a> </td> <td> <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> mimicked legitimate file names and scheduled tasks, e.g. <code>MicrosoftCurrentupdatesCheck</code> and<code>MdMMaintenenceTask</code> to mask malicious files and scheduled tasks.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1046">T1046</a> </td> <td> <a href="/techniques/T1046">Network Service Discovery</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used netstat to check if port 4119 is open.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl鈥檚 Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024."data-reference="trendmicro_redcurl"><sup><a href="https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1027">T1027</a> </td> <td> <a href="/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used malware with string encryption.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Antoniuk, D. (2023, July 17). RedCurl hackers return to spy on 'major Russian bank,' Australian company. Retrieved August 9, 2024."data-reference="therecord_redcurl"><sup><a href="https://therecord.media/redcurl-hackers-russian-bank-australian-company" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> <a href="/groups/G1039">RedCurl</a> has also encrypted data and has encoded PowerShell commands using Base64.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> <a href="/groups/G1039">RedCurl</a> has used <code>PyArmor</code> to obfuscate code execution of <a href="/software/S0349">LaZagne</a>. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> Additionally, <a href="/groups/G1039">RedCurl</a> has obfuscated downloaded files by renaming them as commonly used tools and has used <code>echo</code>, instead of file names themselves, to execute files.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl鈥檚 Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024."data-reference="trendmicro_redcurl"><sup><a href="https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1003">T1003</a> </td> <td> <a href="/techniques/T1003/001">.001</a> </td> <td> <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/001">LSASS Memory</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> used <a href="/software/S0349">LaZagne</a> to obtain passwords from memory.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1566">T1566</a> </td> <td> <a href="/techniques/T1566/001">.001</a> </td> <td> <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/001">Spearphishing Attachment</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used phishing emails with malicious files to gain initial access.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl鈥檚 Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024."data-reference="trendmicro_redcurl"><sup><a href="https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1566/002">.002</a> </td> <td> <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/002">Spearphishing Link</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used phishing emails with malicious links to gain initial access.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1053">T1053</a> </td> <td> <a href="/techniques/T1053/005">.005</a> </td> <td> <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has created scheduled tasks for persistence.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl鈥檚 Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024."data-reference="trendmicro_redcurl"><sup><a href="https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1218">T1218</a> </td> <td> <a href="/techniques/T1218/011">.011</a> </td> <td> <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used rundll32.exe to execute malicious files.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl鈥檚 Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024."data-reference="trendmicro_redcurl"><sup><a href="https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1082">T1082</a> </td> <td> <a href="/techniques/T1082">System Information Discovery</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has collected information about the target system, such as system information and list of network connections.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1080">T1080</a> </td> <td> <a href="/techniques/T1080">Taint Shared Content</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has placed modified LNK files on network drives for lateral movement.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1537">T1537</a> </td> <td> <a href="/techniques/T1537">Transfer Data to Cloud Account</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used cloud storage to exfiltrate data, in particular the megatools utilities were used to exfiltrate data to Mega, a file storage service.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1199">T1199</a> </td> <td> <a href="/techniques/T1199">Trusted Relationship</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has gained access to a contractor to pivot to the victim鈥檚 infrastructure.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Antoniuk, D. (2023, July 17). RedCurl hackers return to spy on 'major Russian bank,' Australian company. Retrieved August 9, 2024."data-reference="therecord_redcurl"><sup><a href="https://therecord.media/redcurl-hackers-russian-bank-australian-company" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1552">T1552</a> </td> <td> <a href="/techniques/T1552/001">.001</a> </td> <td> <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/001">Credentials In Files</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> used <a href="/software/S0349">LaZagne</a> to obtain passwords in files.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1552/002">.002</a> </td> <td> <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/002">Credentials in Registry</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> used <a href="/software/S0349">LaZagne</a> to obtain passwords in the Registry.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1204">T1204</a> </td> <td> <a href="/techniques/T1204/001">.001</a> </td> <td> <a href="/techniques/T1204">User Execution</a>: <a href="/techniques/T1204/001">Malicious Link</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used malicious links to infect the victim machines.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1204/002">.002</a> </td> <td> <a href="/techniques/T1204">User Execution</a>: <a href="/techniques/T1204/002">Malicious File</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used malicious files to infect the victim machines.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl鈥檚 Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024."data-reference="trendmicro_redcurl"><sup><a href="https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1102">T1102</a> </td> <td> <a href="/techniques/T1102">Web Service</a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has used web services to download malicious files.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank"> Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank"> Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="3.0"> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" target="_blank"> Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl鈥檚 Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://therecord.media/redcurl-hackers-russian-bank-australian-company" target="_blank"> Antoniuk, D. (2023, July 17). RedCurl hackers return to spy on 'major Russian bank,' Australian company. Retrieved August 9, 2024. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/sidebar-load-all.js"></script> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-relationships.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10