Find notable cyber news and cases, enriched with sources, timelines, and signals.

QWCrypt and RedLoader multi-stage ransomware activity

Malware Activity
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

The QWCrypt ransomware chain now matters because it has reached successful deployment in at least three attacks, using RedLoader and a customized Terminator tool to stage payloads, discover hosts, and disable defenses. The activity relies on spear-phishing resumes and a multi-stage Windows delivery chain that shifted payload formats in April 2025 and again in July 2025. RedLoader reports infected hosts to C2 infrastructure and runs PowerShell for Active Directory discovery, while the final scripts delete shadow copies and console history to hinder recovery. The result is a tailored ransomware workflow that can spread across endpoint devices and hypervisors in victim environments.

Related Happenings

TONResolver RAT delivered via ZIP, LNK, and PowerShell

Malware Activity
H score22 First: 30.06.2026 13:30 Last: 30.06.2026 13:30 Sources 1

About this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...

Major U.S. services company hit by ransomware attack linked to DragonForce

Incident
H score38 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...

AI-built ransomware toolkit with AD discovery and EDR evasion

Malware Activity
H score36 First: 02.06.2026 23:01 Last: 02.06.2026 23:01 Sources 1

About this happening: A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...

Medusa ransomware post-compromise deployment

Malware Activity
H score48 First: 07.04.2026 09:35 Last: 07.04.2026 09:35 Sources 1

About this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...

TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns

Threat Actor Meta
H score11 First: 31.03.2026 15:15 Last: 31.03.2026 15:15 Sources 1

About this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...

Timeline

  1. 09.12.2025 11:35 2 articles · 7mo ago

    QWCrypt and RedLoader multi-stage ransomware activity

    Initial Disclosure

    The activity begins with **spear-phishing resumes** delivered through job-application workflows and booby-trapped links. Initial payload stages then use **WebDAV**, **rundll32.exe**, and **Adobe** sideloading to establish **RedLoader**.

    Show sources