Canadian organizations have become the center of an unusually focused hacking campaign tied to a threat actor cluster known as STAC6565. Over the past year and a half, Sophos has investigated nearly forty incidents linked to the group, and the patterns point strongly toward a familiar name in the cybercrime world: Gold Blade, also known as Earth Kapre, RedCurl, or Red Wolf, depending on who’s tracking them.
Gold Blade has been active since late 2018. They started out going after Russian companies, mostly through well-crafted phishing emails aimed at stealing business intelligence. Over time, their target list widened to include Canada, Germany, Norway, Slovenia, Ukraine, the U.K., and the U.S. But in this most recent wave, something stands out: almost 80% of the activity hit Canadian organizations, which is far narrower than their usual global footprint.
And their playbook has shifted. What began years ago as classic commercial espionage has evolved into a mix of data theft and selective ransomware, backed by a custom locker called QWCrypt. One of the key tools behind these attacks is RedLoader, a piece of malware that quietly sends system details back to a command-and-control server and pokes around Active Directory using PowerShell.
A “Hack-for-Hire” Operation With a Side Hustle
Sophos describes Gold Blade as running a sort of commercial intrusion service, essentially intrusions on demand. They’ll break into a network for a client, steal information if that’s what’s requested, or deploy ransomware if it leads to a better payout. There’s no clear evidence tying them to any government or political agenda. They’re professionals, not ideologues, and they’ve shown a steady ability to refine their tools between bursts of activity.
The HR Desk Becomes the Front Door
Almost every incident tied to STAC6565 starts the same way: an HR staff member opens what looks like a routine resume or cover letter.
Since late 2024, the group has begun uploading malicious resumes directly into legitimate platforms like Indeed, JazzHR, and ADP WorkforceNow, which makes the documents look harmless and helps them slip past traditional email screening.
In one case, a fake resume on Indeed redirected the victim to a malicious link that triggered the full RedLoader chain, ending with a deployment of QWCrypt ransomware. Sophos and several other security firms have tracked multiple variations of this chain across 2024 and 2025.
The July 2025 version introduced a new twist: a malicious ZIP file dropped by the bogus resume. Inside was a Windows shortcut disguised as a PDF that, when opened, fetched a renamed executable from a WebDAV server running behind Cloudflare Workers. From there, the malware sideloaded a DLL version of RedLoader and pulled down additional stages, binaries, a toxic DAT file, and even a renamed 7-Zip executable.
A familiar pattern emerges here:
every stage is designed to look legitimate or borrow trust from real software, and almost everything is routed over infrastructure that blends in with normal traffic.
Deep Reconnaissance Before Anything Explodes
Once the malware chain runs, it uses Microsoft’s Program Compatibility Assistant to launch each stage. The second-stage payload reads the malicious DAT file, checks that the machine has internet access, and then downloads a script that collects system details, hosts, disks, processes, and even installed antivirus products. All of this is zipped up in an encrypted archive and sent back to the attacker via WebDAV.
Gold Blade also relies on tools like RPivot and Chisel SOCKS5 for covert communication, and in some cases, they’ve deployed a modified version of “Terminator,” a tool that turns a vulnerable security driver into a weapon for killing antivirus processes. In April 2025, they pushed this driver across SMB shares to every server in one victim’s environment, renamed, of course, to blend in.
Despite the sophistication, most attacks were caught before QWCrypt could be deployed. But three incidents, one in April and two in July 2025 weren’t stopped in time. In the April case, the attackers spent days quietly browsing through sensitive documents before finally unleashing the ransomware, which suggests they may have tried (and failed) to find a buyer for the stolen data.
QWCrypt: Tailored and Meant to Hurt
The QWCrypt scripts are adjusted for each victim, often embedding a unique ID into the filenames. Once triggered, the script checks whether the Terminator service is running, disables recovery mechanisms, and pushes the ransomware to endpoints and even the organization’s hypervisors. After encryption finishes, it wipes shadow copies and PowerShell history to make forensic work much harder.
Sophos notes that Gold Blade operates with a level of organization uncommon among financially driven groups: quiet periods followed by rapid bursts of activity, updated tools, and constantly shifting delivery methods.
Source: The Hacker News
