STAC6565 spear-phishing campaign targeting Canadian organizations
Campaign
Summary
Hide ▲
Show ▼
The STAC6565 campaign has driven almost 40 intrusions against Canadian organizations, making it a sustained operation with a sharply focused target set. Attackers use spear-phishing against HR personnel and a multi-stage delivery chain to reach victims. The activity overlaps with Gold Blade and its aliases, showing continuity across multiple countries and sectors. Recent waves have combined data theft with selective QWCrypt ransomware deployment, raising both disruption and extortion risk.
Related Happenings
North American cryptocurrency company hit by network compromise
Incident
First: 28.04.2026 11:00
Last: 28.04.2026 11:00
Sources 1
About this happening:
A **North American cryptocurrency company** suffered a **multi-stage intrusion** that began on **January 23, 2026**, and the attackers kept access for **66 days**. The foothold ca...
North American cryptocurrency company hit by network compromise
IncidentAbout this happening: A **North American cryptocurrency company** suffered a **multi-stage intrusion** that began on **January 23, 2026**, and the attackers kept access for **66 days**. The foothold ca...
FBI-led takedown of W3LL phishing network
Law Enforcement
First: 13.04.2026 13:35
Last: 13.04.2026 13:35
Sources 1
About this happening:
**FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
FBI-led takedown of W3LL phishing network
Law EnforcementAbout this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
Phantom Project's subscription-based cybercrime toolkit model
Threat Actor Meta
First: 31.03.2026 17:00
Last: 31.03.2026 17:00
Sources 1
About this happening:
**Phantom Project** now reflects a more packaged **subscription-based cybercrime toolkit** model, bundling a **stealer**, **crypter**, and **RAT** to scale credential theft and do...
Phantom Project's subscription-based cybercrime toolkit model
Threat Actor MetaAbout this happening: **Phantom Project** now reflects a more packaged **subscription-based cybercrime toolkit** model, bundling a **stealer**, **crypter**, and **RAT** to scale credential theft and do...
Fake shipment tracking SMS phishing campaign
Campaign
First: 16.03.2026 16:45
Last: 16.03.2026 16:45
Sources 1
About this happening:
A **global surge** in **fake shipment tracking phishing campaigns** is stealing **funds and credentials** at scale, with activity rising from almost none in 2024 to **over 100 cam...
Fake shipment tracking SMS phishing campaign
CampaignAbout this happening: A **global surge** in **fake shipment tracking phishing campaigns** is stealing **funds and credentials** at scale, with activity rising from almost none in 2024 to **over 100 cam...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Timeline
-
09.12.2025 11:35 2 articles · 5mo ago
Sophos discloses STAC6565 campaign against Canadian organizations
Initial DisclosureSophos disclosed a campaign tied to STAC6565 and overlapping with Gold Blade aliases that heavily targeted Canadian organizations, with almost 40 intrusions between February 2024 and August 2025 and almost 80% of the attacks directed at Canada. The operation used spear-phishing against HR personnel, weaponized resumes on Indeed, JazzHR, and ADP WorkforceNow, and a multi-stage RedLoader delivery chain that in some cases led to QWCrypt ransomware, including three successful deployments in April and July 2025.
Show sources
- STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35
- STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35