Full Report
Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565. Cybersecurity company Sophos said it investigated almost 40 intrusions linked to the threat actor between February 2024 and August 2025. The campaign is assessed with high confidence to share overlaps with a hacking group known as Gold Blade, which is also
Analysis Summary
# Threat Actor: STAC6565
## Attribution & Identity
**Primary Identifier:** STAC6565 (Threat activity cluster)
**Associated Groups:** Assessed with high confidence to share overlaps with **Gold Blade**.
**Gold Blade Aliases:** Earth Kapre, RedCurl, Red Wolf.
**Operational Model:** Suspected "hack-for-hire" model, carrying out tailored intrusions for clients, combined with independent ransomware monetization.
**Attribution Notes:** Previously speculated as Russian-speaking (2020 Group-IB report), but this remains unconfirmed. Not assessed as state-sponsored or politically motivated.
## Activity Summary
STAC6565 (Gold Blade) has been linked to almost 40 intrusions investigated by Sophos between February 2024 and August 2025, showing a significant shift from previous pure espionage activities toward hybrid operations blending data theft with ransomware deployment. The group has been active since late 2018, initially focusing on Russia before expanding its scope. The recent campaign shows an unusually narrow geographic focus, targeting Canadian organizations in approximately 80% of observed attacks. The operational tempo is characterized by periods of low activity followed by sudden spikes utilizing refined tactics, suggesting time spent refreshing toolsets.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing emails targeting Human Resources (HR) personnel, disguised as job applications (resumes or cover letters).
- **Delivery Mechanism:** Leveraging legitimate job search platforms (Indeed, JazzHR, ADP WorkforceNow) since at least November 2024 to upload weaponized documents, often using disposable email domains to evade email-based defenses.
- **Payload Delivery Chain:** Observed use of RedLoader, which establishes C2 communication and executes PowerShell scripts to gather details about the compromised Active Directory (AD) environment.
- **Ransomware Deployment:** Deployment of bespoke ransomware strain named **QWCrypt** via the RedLoader chain.
- **Latest Observed TTP (July 2025):** Delivery chain involved a ZIP archive dropped by the bogus resume, containing a Windows shortcut (LNK) file impersonating a document.
- **Evolutionary Tradecraft:** Known for refining and evolving its tradecraft and mounting discreet extortion attacks.
## Targeting
- **Sectors:** Services, Manufacturing, Retail, Technology, Non-Governmental Organizations (NGOs), and Transportation.
- **Geography:** Primarily **Canada** (approx. 80% of recent attacks). Historically targeted entities in Germany, Norway, Russia, Slovenia, Ukraine, the U.K., and the U.S.
- **Victims:** Organizations within the listed sectors in Canada are the primary recent focus.
## Tools & Infrastructure
- **Malware Families Used:** **QWCrypt** (bespoke ransomware), **RedLoader** (information gathering and script execution).
- **Infrastructure:** Command-and-control (C2) servers used by RedLoader to receive host information and execute PowerShell scripts. (Specific URLs/IPs are not provided in the text.)
## Implications
The evolution of Gold Blade/STAC6565 from purely commercial espionage to a hybrid model involving ransomware deployment presents a significant financial threat. The adaptation of TTPs to exploit trusted HR workflows and job application platforms bypasses common email security controls, making the supply chain related to hiring and recruiting a critical vector. The highly focused targeting of Canadian entities suggests current client-driven contract work or concentrated adversarial interest in that region.
## Mitigations
- Implement stringent vetting and scanning procedures for files received through job application portals and third-party resume platforms.
- Enhance network monitoring for suspicious PowerShell execution or reconnaissance activities targeting Active Directory following initial file execution.
- Increase vigilance against spear-phishing that impersonates standard HR or recruitment communication, especially documents delivered via ZIP or LNK files.
- Ensure rapid patching and defense mechanisms are in place to counter the behaviors associated with RedLoader activity chains.