STAC6565

STAC6565 is a financially motivated threat activity cluster investigated by Sophos, linked to nearly 40 intrusions from February 2024 through August 2025, with a strong focus on Canadian organizations (almost 80% of observed targeting). The cluster shows significant overlap with Gold Blade (aka Earth Kapre, RedCurl, Red Wolf), a group active since late 2018 that initially targeted Russian entities and later expanded to Canada, Germany, Norway, Russia, Slovenia, Ukraine, the U.K., and the U.S. The activity is assessed as not state-sponsored or politically motivated and is described as operating under a hack-for-hire model, conducting tailored intrusions for clients and monetizing via data theft and selective ransomware deployment. Tradecraft and intrusion patterns include spear-phishing aimed at HR personnel using malicious resumes/cover letters, and since November 2024 leveraging legitimate recruitment/job platforms (Indeed, JazzHR, ADP WorkforceNow) to deliver weaponized resumes, often via disposable email domains to evade email defenses. Multi-stage delivery chains have been observed (e.g., September 2024, March/April 2025, July 2025), including ZIP archives containing Windows LNK files impersonating PDFs; LNKs fetching payloads (e.g., a renamed “ADNotificationManager.exe”) from WebDAV infrastructure fronted by Cloudflare Workers; and DLL sideloading using legitimate Adobe executables to load the group’s tooling. Payload formats shifted from DLLs to EXEs in April 2025. Post-compromise activity includes automated system discovery via batch scripts, use of Sysinternals AD Explorer to collect host/disk/process/AV information, and exfiltration of results in encrypted 7-Zip archives to attacker-controlled WebDAV servers. Command-and-control and lateral movement tooling noted includes RPivot and Chisel (SOCKS5). The group’s custom tooling includes RedLoader (used to send host information to C2 and execute PowerShell scripts for Active Directory reconnaissance) and a customized “Terminator” capability leveraging a signed Zemana AntiMalware driver for BYOVD to terminate security processes. In at least one case, Terminator components were renamed and distributed via SMB shares across servers. The cluster has evolved from commercial-espionage-style phishing into hybrid operations that blend data theft with ransomware deployment using a custom strain called QWCrypt. While most intrusions were detected and mitigated before ransomware installation, multiple successful QWCrypt deployments were reported (April and July 2025). QWCrypt deployment is described as victim-tailored, including disabling recovery, executing across endpoints and hypervisors, and running cleanup actions such as deleting shadow copies and PowerShell history to hinder forensic recovery. Targeted sectors mentioned include services, manufacturing, retail, technology, NGOs, and transportation, with additional targeting beyond Canada in the U.S., Australia, and the U.K.