The GOLD BLADE threat group has shifted from pure espionage to a hybrid model that combines data theft with targeted ransomware attacks using a custom locker called QWCrypt.
This shift follows a long-running campaign tracked as STAC6565, which hit almost 40 victims between early 2024 and mid‑2025, with a strong focus on Canadian organizations and service, manufacturing, retail, and technology firms.
Instead of basic phishing emails, the group now abuses trusted recruitment platforms such as Indeed, JazzHR, ADP, and LinkedIn.
They submit fake resumes as PDF files that either contain first‑stage malware or redirect HR staff to fake “Safe Resume Share” portals that deliver weaponized content.
Because these resumes appear inside everyday hiring workflows, many email security checks never see them.
Sophos security analysts identified this shift and linked it to a refined RedLoader delivery chain that ends with QWCrypt deployment on selected, high‑value systems.
They observed cycles of quiet periods followed by short, sharp waves of intrusions, each wave adding new tools, scripts, and evasion methods.
QWCrypt gives GOLD BLADE a way to turn an espionage job into a direct extortion event. The locker appends the .qwCrypt extension, drops the note “!!!how_to_unlock_qwCrypt_files.txt,” and supports many flags, including a mode to hit hypervisors that host virtual machines.
Stolen data is archived with 7‑Zip and sent over WebDAV via Cloudflare Workers domains, so the group can threaten leaks even if encryption fails.
.webp "GOLD BLADE Using Custom QWCrypt Locker that Allows Data Exfiltration and Ransomware Deployment 3")
This comprehensive technical breakdown shows a group that treats intrusions as a managed service, with ongoing upgrades, not one‑off incidents.
QWCrypt Deployment and Host Impact
Once an HR user opens a booby‑trapped resume, a multi‑stage chain starts. A dropped ZIP may contain a fake PDF shortcut or an ISO image.
That file runs a renamed copy of ADNotificationManager.exe, which sideloads a RedLoader DLL such as srvcli.dll or netutils.dll via rundll32.exe from a WebDAV share behind Cloudflare Workers.
The first‑stage DLL contacts command‑and‑control (C2), then creates scheduled tasks that pull second‑ and third‑stage payloads into the user’s AppData\Roaming folder under names like “BrowserEngineUpdate_.”
These tasks use the living‑off‑the‑land binary pcalua.exe to run the payloads without dropping obvious launchers.
A .bat script then unpacks Sysinternals AD Explorer, runs discovery commands, compresses results with 7‑Zip, and uploads them to attacker WebDAV servers such as local.chronotypelabs[.]workers[.]dev.
When the operators decide to deploy QWCrypt, they push an encrypted 7‑Zip archive over SMB to many servers. A launcher script checks that their Terminator-based kill‑AV service is active, then disables recovery and executes the locker:-
bcdedit /set {default} recoveryenabled no
qwc_537aab1c.exe -v -key -nosd Terminator uses a vulnerable Zemana AntiMalware driver (term.sys, later renamed) to kill protected processes and even weakens core Windows defenses by flipping key registry values:-
HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x0 /f
HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v Enabled /t REG_DWORD /d 0x0 /fA final cleanup script runs QWCrypt with hypervisor flags where needed, deletes shadow copies, and wipes PowerShell history, leaving only encrypted data and the ransom note behind.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
