Full Report
Updates include novel abuse of recruitment platforms, modified infection chains, and expansion into a hybrid operation that combines data theft and ransomware deployment
Analysis Summary
# Threat Actor: GOLD BLADE (STAC6565)
## Attribution & Identity
**Known Aliases:** RedCurl, RedWolf, Earth Kapre
**Known Associations:** The activity described in the article is tracked under the campaign designation 'STAC6565'. While some third parties report the group as Russian-speaking, Sophos analysts could not confirm this assessment. The operational tempo and refined tradecraft suggest a professionalized, discreet operation.
## Activity Summary
Between February 2024 and August 2025, analysts observed nearly 40 intrusions related to the STAC6565 campaign. The group has evolved from focusing primarily on cyberespionage to conducting a **hybrid operation blending data theft with selective ransomware deployment** using the custom locker, QWCrypt. Recent activity shows an unusually narrow target focus, with almost 80% of attacks hitting Canadian organizations (February 2024 - August 2025). Operations follow a pattern of dormancy followed by intense bursts of activity, with each wave introducing updated techniques.
## Tactics, Techniques & Procedures
- **Initial Access:** Shifted from traditional phishing emails to **novel abuse of recruitment platforms** to distribute weaponized resumes.
- **Infection Chain Modification:** Continually modifies the **RedLoader** infection chain, testing varied payload formats, execution mechanisms, and hosting locations.
- **Defense Evasion:** Implemented a **Bring Your Own Vulnerable Driver (BYOVD)** chain utilizing renamed Zemana drivers.
- **Defense Evasion:** Employed modified versions of the **Terminator EDR killer tool**.
- **Action on Objectives:** Selective deployment of the custom ransomware **QWCrypt**.
- *MITRE ATT&CK IDs were not explicitly provided in the text.*
## Targeting
- **Sectors:** Not explicitly listed, but the operation is characterized by targeted intrusions against specific organizations.
- **Geography:** **Canada** (Nearly 80% of observed STAC6565 activity between Feb 2024 and Aug 2025).
- **Victims:** Specific organizations were not named in the provided context.
## Tools & Infrastructure
- **Malware Families Used:**
- RedLoader (Used for initial infection chain delivery)
- QWCrypt (Custom ransomware locker)
- Terminator (EDR killer tool, modified version used)
- **Infrastructure:**
- Abuse of **recruitment platforms** (for initial delivery).
- Use of renamed **Zemana drivers** (for BYOVD).
- Malicious files hosted in evolving locations.
## Implications
GOLD BLADE operates as a highly professional, adaptive threat actor potentially functioning under a **"hack-for-hire" model** focused on stealing business information, credentials, and emails, distinguishing it from purely financially motivated ransomware groups. Their recent shift to integrating ransomware deployment suggests an evolution toward direct monetization alongside espionage services. The persistent updating of their delivery chains (RedLoader) and the adoption of advanced evasion techniques (BYOVD, EDR killers) highlight their commitment to maintaining operational effectiveness.
## Mitigations
- Increased scrutiny and filtering of attachments/links received via non-traditional vectors, specifically **recruitment platform communications**.
- Active monitoring for signs of established persistence mechanisms, including known EDR evasion tools and **BYOVD usage involving vulnerable drivers**.
- Robust endpoint detection and response capabilities capable of identifying modified versions of common utilities and novel infection chains (like RedLoader variants).
- Maintain heightened vigilance during periods immediately following observed group dormancy, as activity resumes with new tradecraft.