STAC6565 Targets Canadian Organizations with QWCrypt Ransomware

Timeline

1. 09.12.2025 11:35 1 articles · 23h ago

   STAC6565 Deploys QWCrypt Ransomware in Targeted Campaign

   Between February 2024 and August 2025, STAC6565 conducted nearly 40 intrusions targeting Canadian organizations, deploying QWCrypt ransomware via a multi-stage malware delivery chain. The group uses spear-phishing emails targeting HR personnel, leveraging legitimate job search platforms to deliver malicious documents. The attacks involve the use of ZIP archives, Windows shortcuts (LNK), and WebDAV servers for payload delivery. The group employs custom tools like Terminator to disable antivirus processes, with three successful QWCrypt deployments observed in April and July 2025.

   Show sources

   • STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35

   Open in new tab

Information Snippets

• STAC6565 has conducted nearly 40 intrusions linked to Gold Blade between February 2024 and August 2025.

  First reported: 09.12.2025 11:35
  1 source, 1 article
  Show sources

  • STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35

• The group initially targeted entities in Russia before expanding to Canada, Germany, Norway, Ukraine, the U.K., and the U.S.

  First reported: 09.12.2025 11:35
  1 source, 1 article
  Show sources

  • STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35

• QWCrypt ransomware is deployed via a multi-stage malware delivery chain involving RedLoader and custom tools.

  First reported: 09.12.2025 11:35
  1 source, 1 article
  Show sources

  • STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35

• The group uses legitimate job search platforms like Indeed, JazzHR, and ADP WorkforceNow to deliver malicious documents.

  First reported: 09.12.2025 11:35
  1 source, 1 article
  Show sources

  • STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35

• The attacks involve the use of ZIP archives, Windows shortcuts (LNK), and WebDAV servers for payload delivery.

  First reported: 09.12.2025 11:35
  1 source, 1 article
  Show sources

  • STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35

• The group uses RPivot and Chisel SOCKS5 for command-and-control (C2) communications.

  First reported: 09.12.2025 11:35
  1 source, 1 article
  Show sources

  • STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35

• The group employs a customized version of the Terminator tool to disable antivirus processes via a BYOVD attack.

  First reported: 09.12.2025 11:35
  1 source, 1 article
  Show sources

  • STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35

• Three attacks resulted in successful QWCrypt deployment, with one incident in April and two in July 2025.

  First reported: 09.12.2025 11:35
  1 source, 1 article
  Show sources

  • STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware — thehackernews.com — 09.12.2025 11:35