Almost 40 cyber intrusions linked to a campaign known as STAC6565 were investigated by Sophos between February 2024 and August 2025, with analysts tying the activity to the threat group GOLD BLADE. Almost 80% of the attacks were targeting organizations in Canada, showing that the group is focused on one country instead of attacking many at random.
GOLD BLADE, also tracked under the names RedCurl, RedWolf, and Earth Kapre, was previously known for cyberespionage. Sophos said the group has changed its approach, combining quiet data theft with selective use of ransomware through a custom tool called QWCrypt.
“This group is no longer focused only on stealing information in the background,” said Morgan Demboski, analyst at Sophos Cyber Threat Intelligence, in a blog post. “They are now mixing spying-style intrusions with ransomware in a careful and targeted way.”
Instead of sending common phishing emails, the attackers have shifted to abusing recruitment platforms. They send fake resumes that carry hidden malware, hoping employees involved in hiring will open them. Sophos said the resumes often use tailored file names that match the target company or job role, suggesting the attackers research their victims in advance.
The group also works in cycles. Sophos observed long quiet periods followed by sudden waves of activity, with new or adjusted tools used each time. Similar patterns were seen in September 2024, March 2025, and July 2025. After a burst of attacks in March and a ransomware incident in April, the group went silent for weeks before returning with revised methods.
“These pauses likely reflect time spent improving their tools or reacting to public reports about their tactics,” Demboski said. “It shows planning and discipline rather than random attacks.”
According to Sophos, one tool used by GOLD BLADE is RedLoader, a malware delivery system that has been changed several times to test different file types and ways to run malicious code. The group has also used a technique known as Bring Your Own Vulnerable Driver, which relies on legitimate but flawed software drivers to disable security tools.
In several cases, the attackers used a modified version of a tool called Terminator along with a signed Zemana AntiMalware driver to try to shut down endpoint detection systems. Sophos said parts of the code appear to be adapted from open-source tools, then changed to make analysis harder.
Since first appearing in 2018, GOLD BLADE has focused on stealing business data, login details, and emails. The lack of a public data leak site suggests the group may work on a “hack-for-hire” basis, carrying out targeted intrusions for paying clients. However, Sophos noted that the recent use of ransomware points to the group also seeking direct profit on its own.
“There is no clear sign this group is state-backed or politically driven,” Demboski said. “What stands out is how selective and quiet their operations are.”
Sophos advised companies to focus on basic defenses. Training staff to spot suspicious resumes and phishing attempts can stop many attacks before they start. Keeping offline or isolated backups of important data can also limit damage if an intrusion occurs and help organizations recover faster.