Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 3 actors

QWCrypt

QWCrypt is a custom ransomware strain operated by the financially motivated threat group GOLD BLADE, also tracked as RedCurl, Red Wolf, and Earth Kapre. Reporting indicates the group began deploying QWCrypt in mid-2025 after years of conducting tailored commercial espionage intrusions under a hack-for-hire model, suggesting a shift toward hybrid operations that combine espionage, data theft, and ransomware monetization.

Observed campaigns were heavily focused on Canadian organizations, with broader targeting also reported against entities in the U.S., Australia, and the U.K., including sectors such as services, manufacturing, retail, technology, NGOs, and transportation. Researchers described STAC6565 activity with high-confidence overlap to GOLD BLADE as blending data theft with selective QWCrypt ransomware deployment.

Initial access and delivery tradecraft associated with QWCrypt campaigns included spear-phishing and later abuse of recruitment platforms such as Indeed, JazzHR, and ADP WorkforceNow to deliver weaponized resumes, often aimed at HR personnel. The group used legitimately signed Adobe executables for DLL sideloading of its custom RedLoader malware. RedLoader transmitted host information to command-and-control infrastructure and executed PowerShell scripts to enumerate Active Directory environments. Additional tooling and behaviors reported in QWCrypt-linked intrusions included Sysinternals AD Explorer for host and security-product discovery, exfiltration of collected data in encrypted 7-Zip archives to attacker-controlled WebDAV servers, RPivot and Chisel SOCKS5 for communications, and a BYOVD chain using renamed Zemana drivers together with a modified Terminator EDR-killer tool to disable security products.

QWCrypt deployment was described as selective rather than universal across intrusions. In successful cases, deployment scripts were tailored to each victim, disabled recovery mechanisms, and executed the ransomware across endpoints and hypervisors. Cleanup actions included deletion of shadow copies and PowerShell history to inhibit recovery and forensic analysis. Most observed attacks were reportedly detected before QWCrypt installation, but several incidents in 2025 resulted in successful deployment.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
RedCurl

In mid-2025, Sophos analysts observed the group starting to deploy custom ransomware, named QWCrypt, in some network compromises, suggesting that the threat actors may be independently monetizing intrusions in addition to conducting espionage for clients.

via sophos othersophos.com
RedWolf

Sophos says that an e-crime named Gold Blade has been running ransomware attacks against Canadian organizations. The group has been active since 2018, is made up of Russian-speaking members, is also known as RedCurl, RedWolf, and Earth Kapre, and operates the QWCrypt ransomware strain.

via risky biz rssnews.risky.biz
STAC6565

“...Gold Blade Deploys QWCrypt Ransomware...”

via cloudatg insightscloudatg.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence1
TacticImpact

In mid-2025, Sophos analysts observed the group starting to deploy custom ransomware, named QWCrypt, in some network compromises

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Ransomware deployed in intrusions attributed to Gold Blade/STAC6565; Canada noted as a primary focus in the referenced campaign.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Previously unseen ransomware strain deployed by the RedCurl threat group in its first observed ransomware campaign.

Read more
sophos otherNews
Jan 1, 2026
GOLD BLADE | Threat Profile Detail | Sophos

A custom ransomware deployed by GOLD BLADE in some compromises beginning in mid-2025, indicating a shift from pure espionage and hack-for-hire activity toward direct monetization.

Read more
checkpoint research blogNews
Dec 15, 2025
15th December - Threat Intelligence Report - Check Point Research

Ransomware used selectively within the STAC6565 campaign alongside data theft activity.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.