"Cybersecurity company Sophos said it investigated almost 40 intrusions linked to the threat actor between February 2024 and August 2025. The campaign is assessed with high confidence to share overlaps with a hacking group known as Gold Blade, which is also known as Earth Kapre, RedCurl, and Red Wolf. The financially motivated threat actor is believed to be active since late 2018, initially targeting entities in Russia, before expanding its focus to entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the U.K., and the U.S."
"The group has a history of using phishing emails to conduct commercial espionage. However, recent attack waves have found RedCurl to have engaged in ransomware attacks using a bespoke malware strain dubbed QWCrypt. One of the notable tools in the threat actor's arsenal is RedLoader, which sends information about the infected host to a command-and-control (C2) server and executes PowerShell scripts to collect details related to the compromised Active Directory (AD) environment."
Sophos investigated almost 40 intrusions linked to STAC6565 between February 2024 and August 2025, with almost 80% of attacks targeting Canadian organizations. The threat cluster overlaps with Gold Blade (also known as Earth Kapre, RedCurl, and Red Wolf) and has operated since late 2018, initially targeting Russia before expanding internationally. The group historically used phishing for commercial espionage but has evolved into hybrid operations that combine data theft with selective ransomware deployment using a custom locker named QWCrypt. RedLoader exfiltrates host details to a C2 server and runs PowerShell to enumerate compromised Active Directory environments. The actor appears to operate under a hack-for-hire model, performing tailored intrusions for clients and monetizing some intrusions via ransomware, affecting services, manufacturing, retail, technology, NGOs, and transportation sectors.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]