Stac6565 Targets Canada In 80% Of Attacks As Gold Blade Deploys...
Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565.
Cybersecurity company Sophos said it investigated almost 40 intrusions linked to the threat actor between February 2024 and August 2025. The campaign is assessed with high confidence to share overlaps with a hacking group known as Gold Blade, which is also known as Earth Kapre, RedCurl, and Red Wolf.
The financially motivated threat actor is believed to be active since late 2018, initially targeting entities in Russia, before expanding its focus to entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the U.K., and the U.S. The group has a history of using phishing emails to conduct commercial espionage.
However, recent attack waves have found RedCurl to have engaged in ransomware attacks using a bespoke malware strain dubbed QWCrypt. One of the notable tools in the threat actor's arsenal is RedLoader, which sends information about the infected host to a command-and-control (C2) server and executes PowerShell scripts to collect details related to the compromised Active Directory (AD) environment.
"This campaign reflects an unusually narrow geographic focus for the group, with almost 80% of the attacks targeting Canadian organizations," Sophos researcher Morgan Demboski said. "Once focused primarily on cyber espionage, Gold Blade has evolved its activity into a hybrid operation that blends data theft with selective ransomware deployment via a custom locker named QWCrypt."
Other prominent targets include the U.S., Australia, and the U.K., with services, manufacturing, retail, technology, non-governmental organizations, and transportation sectors hit the hardest during the time period.
The group is said to be operating under a "hack-for-hire" model, carrying out tailored intrusions on behalf of clients, while deploying ransomware on the side to monetize the intrusions. Although a 2020 report from Group-IB raised the possibility of it being a Russian-speaking group, there are currently no indications to confirm or deny this assessment.
Describing RedCurl as a "professionalized operation," Sophos said the threat actor stands apart from other cybercriminal groups owing to its ability to refine and evolve its tradecraft, as well as mount discreet extortion attacks. That said, there is no evidence to suggest it's state-sponsored or politically motivated.
The cybersecurity company also pointed out that the oper
Source: The Hacker News
