QWCrypt and RedLoader multi-stage ransomware activity
Malware Activity
Summary
Hide ▲
Show ▼
The QWCrypt ransomware chain now matters because it has reached successful deployment in at least three attacks, using RedLoader and a customized Terminator tool to stage payloads, discover hosts, and disable defenses. The activity relies on spear-phishing resumes and a multi-stage Windows delivery chain that shifted payload formats in April 2025 and again in July 2025. RedLoader reports infected hosts to C2 infrastructure and runs PowerShell for Active Directory discovery, while the final scripts delete shadow copies and console history to hinder recovery. The result is a tailored ransomware workflow that can spread across endpoint devices and hypervisors in victim environments.
Related Happenings
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware Activity
H score22
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
About this happening:
The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware ActivityAbout this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware Activity
H score36
First: 02.06.2026 23:01
Last: 02.06.2026 23:01
Sources 1
About this happening:
A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware ActivityAbout this happening: A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
Medusa ransomware post-compromise deployment
Malware Activity
H score48
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
H score11
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
Timeline
-
09.12.2025 11:35 2 articles · 7mo ago
QWCrypt and RedLoader multi-stage ransomware activity
Initial DisclosureThe activity begins with **spear-phishing resumes** delivered through job-application workflows and booby-trapped links. Initial payload stages then use **WebDAV**, **rundll32.exe**, and **Adobe** sideloading to establish **RedLoader**.
Show sources
- STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35
- STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35