Canadian organizations have become the primary targets of a cyber campaign led by a threat group known as STAC6565. This group has shown a significant focus on Canada, with nearly 80% of their attacks directed there, according to cybersecurity firm Sophos.
Following an investigation into nearly 40 incidents linked to STAC6565 between early 2024 and mid-2025, researchers have determined that this group’s tactics resemble those of a hacking entity called Gold Blade, which has been operational since 2018. Initially, Gold Blade targeted organizations located in Russia before broadening its scope to include countries like Canada, the U.S., Germany, and more. The group switches between phishing tactics for corporate espionage and ransomware attacks utilizing a unique malware variant named QWCrypt.
This hybrid strategy combines data theft and ransomware deployment, with Gold Blade noted for its professional, refined approach to cybercrime. Their modus operandi typically starts with spear-phishing emails directed at HR personnel, with malicious attachments disguised as resumes or cover letters. Since last year, they have utilized legitimate job platforms to host these malicious documents, increasing the likelihood of their eventual opening by unsuspecting victims.
In various instances, these documents have contained links that redirected users to exploit-laden URLs, leading to QWCrypt ransomware deployment. The sophistication of their delivery methods has evolved, including the recent use of ZIP files containing Windows shortcuts (‘LNK’ files) pretending to be PDFs, which exploit legitimate software processes to execute attacks.
Sophos has documented the group’s organizational method, which includes intermittent activity patterns interspersed with periods of calm, allowing the group to update its tools and techniques. Despite the group being labeled as professional, there are currently no indications to suggest they operate under state sponsorship or as a politically motivated entity.
Their operational highlights include the targeting of sectors such as manufacturing, retail, technology, and NGOs, as well as notable attacks leading to successful ransomware deployments. Threat actors have also shown the ability to embed various malicious tools, such as customized binaries that enhance their capabilities in stealing data and establishing control over compromised environments.
As the cybersecurity landscape continues to change with increasing ransomware incidences, particularly on hypervisors, experts recommend that organizations adopt stringent protective measures, such as implementing multi-factor authentication and restricting management network access, to mitigate the risks posed by such threat actors.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.