STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware

Threat actor STAC6565, linked to Gold Blade group, has conducted nearly 40 targeted intrusions against Canadian organizations between February 2024 and August 2025. The campaign primarily targets Canada in 80% of attacks and deploys QWCrypt ransomware. Sophos investigated the attacks and assessed with high confidence that STAC6565 shares overlaps with the Gold Blade hacking group. This represents an active, ongoing ransomware campaign with significant geographic focus on Canadian entities.