March 26, 2025 By Bill Toulas
A threat actor named 'RedCurl,' known for stealthy corporate espionage operations since 2018, is now using a ransomware encryptor designed to target Hyper-V virtual machines.
Previously, RedCurl was spotted by Group-IB targeting corporate entities worldwide, later expanding its operations and increasing the victim count.
However, as Bitdefender Labs researchers report, the threat actors have started deploying ransomware on compromised networks.
"We've seen RedCurl stick to their usual playbook in most cases, continuing with data exfiltration over longer periods of time," reads the Bitdefender report.
"However, one case stood out. They broke their routine and deployed ransomware for the first time."
As the enterprise increasingly moves to virtual machines to host their servers, ransomware gangs have followed the trend, creating encryptors that specifically target virtualization platforms.
While most ransomware operations focus on targeting VMware ESXi servers, RedCurl's new "QWCrypt" ransomware specifically targets virtual machines hosted on Hyper-V.
