Between February 2024 and August 2025, security researchers uncovered a significant campaign orchestrated by the GOLD BLADE threat group, previously known as RedCurl, RedWolf, and Earth Kapre.
The investigation of nearly 40 intrusions linked to STAC6565 reveals a sophisticated threat actor that has evolved from traditional cyberespionage into a hybrid operation combining data theft with selective ransomware deployment through a custom encryption tool named QWCrypt.
The campaign demonstrates an unusually narrow geographic focus, with almost 80% of attacks targeting Canadian organizations.
This represents a notable shift in targeting patterns for the group, which has historically maintained a broader geographic reach.
The concentration on North America reflects either deliberate specialization or specific client demands, suggesting GOLD BLADE operates under a “hack-for-hire” model tailored to particular customers.
GOLD BLADE has progressively refined its initial access techniques, moving away from traditional phishing emails toward a more sophisticated approach that exploits legitimate recruitment platforms.
Since September 2024, the threat actors have abused services such as Indeed, JazzHR, and ADP WorkforceNow to distribute weaponized resumes directly through applicant-tracking systems.
This tactical shift bypasses traditional email security controls by leveraging the inherent trust placed in recruitment platforms by human resources personnel.
The social engineering methodology proves particularly effective because it eliminates intermediate interaction steps commonly observed in other campaigns.
Nearly 80% of GOLD BLADE attacks linked to the STAC6565 campaign targeted Canada-based organizations.
Rather than directing targets to external phishing sites, GOLD BLADE uploads malicious PDF resumes directly to company recruitment portals, significantly increasing the likelihood of victim interaction while evading email-based threat detection mechanisms.
Multi-Stage Infection Chain
Once opened, the weaponized resumes trigger a sophisticated three-stage infection chain delivering GOLD BLADE’s custom RedLoader malware.
In August 2025, Sophos observed the threat actors reusing this Safe Resume Share Service template for a LinkedIn-themed lure.
The delivery mechanisms have undergone three distinct iterations, with each wave introducing novel combinations of techniques tested between dormancy periods.
The September 2024 variant utilized WebDAV and Cloudflare Workers infrastructure for in-memory DLL execution, while March and April 2025 attacks leveraged ISO file mounting for DLL sideloading via legitimate binaries.
By July 2025, the threat actors combined these approaches into an unreported delivery chain, demonstrating continuous refinement capabilities.
Secondary payload deployment shifted from DLLs to standalone executables in April 2025, with later variants exhibiting victim-specific identifiers embedded in scheduled tasks and malware filenames, suggesting comprehensive deployment tracking infrastructure.
QWCrypt Ransomware
In April and July 2025, Sophos analysts observed selective QWCrypt ransomware deployment by GOLD BLADE, marking the group’s escalation from pure espionage to ransomware-as-a-profit operation.
The script runs a cleanup .bat script (qwc_
The ransomware launcher includes victim-specific identifiers and tailored deployment scripts staged across target environments via automated SMB transfers.
The threat actors implemented aggressive defense evasion techniques, including deployment of modified Terminator tools and exploiting vulnerable Zemana AntiMalware drivers through Bring Your Own Vulnerable Driver BYOVD attacks.
Registry modifications turned off Windows security mechanisms including the vulnerable driver blocklist and Hypervisor-Enforced Code Integrity, creating kernel-level persistence.
GOLD BLADE’s operational security lapses revealed a structured offensive toolkit, evidenced by full Program Database paths left in compiled binaries indicating multiple development builds tailored to specific Windows versions.
The group’s pattern of dormancy followed by activity bursts reflects development cycles for new attack chains and tactical responses to external reporting.
Organizations face increasing risk from GOLD BLADE’s hybrid operational model. Implementing secure document viewers, training employees on resume threats, maintaining offline backups, and deploying comprehensive endpoint detection and response solutions remain critical defensive measures against this persistent and evolving threat actor.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.