Security researchers at Sophos have published findings on GOLD BLADE, a threat actor also tracked as RedCurl and Earth Kapre, revealing that approximately 80% of its roughly 40 intrusions throughout 2024 and 2025 targeted Canadian organizations. The group has deployed a custom ransomware strain dubbed "QWCrypt" that blends data theft with selective file encryption, representing a significant evolution in the group's tactics.
What We Know
In a report published in December 2025, Sophos detailed the GOLD BLADE campaign's operations over the preceding two years. The group conducted approximately 40 confirmed intrusions, with an overwhelming majority directed at organizations in Canada. The targeted sectors span financial services, legal firms, technology companies, and government contractors, suggesting the group's interests are broad but geographically concentrated.
The unusually narrow geographic focus on Canada distinguishes GOLD BLADE from most ransomware and espionage groups, which typically target victims opportunistically across multiple countries. Security researchers have flagged this pattern as a major concern for Canadian organizations of all sizes.
The GOLD BLADE Threat Actor
GOLD BLADE has been active since at least 2018, initially operating as a corporate espionage group focused on stealing confidential business documents, employee records, and legal files. The group was previously tracked under the names RedCurl and Earth Kapre by various threat intelligence teams. Its evolution to include ransomware deployment marks a significant escalation in its operational objectives.
Unlike many ransomware groups that operate as ransomware-as-a-service (RaaS) platforms, GOLD BLADE develops and deploys its own custom tooling, including the QWCrypt ransomware. This self-contained approach suggests a well-resourced and technically capable operation.
Attack Methodology
GOLD BLADE's tactics have evolved significantly over time:
- Initial access has shifted from traditional phishing emails to abusing recruitment platforms, submitting weaponized resumes and application documents that contain malicious payloads
- The group uses signed DLL sideloading and living-off-the-land binaries to evade detection during the post-exploitation phase
- Lateral movement relies on stolen credentials and legitimate remote management tools already present in target environments
- Data exfiltration occurs before ransomware deployment, enabling double extortion
- The QWCrypt ransomware selectively encrypts high-value files and directories rather than performing broad, indiscriminate encryption
Why Canada
The reasons behind GOLD BLADE's disproportionate focus on Canadian organizations remain a subject of analysis. Several factors may contribute:
- Canada's resource-rich economy and significant financial services sector present high-value targets for data theft and extortion
- Canadian organizations may be perceived as having less mature cybersecurity defences compared to U.S. counterparts of similar size
- The group may have established reliable initial access vectors through Canadian recruitment platforms and job boards
- Prior successful operations in Canada may have generated infrastructure, knowledge, and access that facilitate continued targeting
Impact and Indicators
Organizations compromised by GOLD BLADE have experienced both data theft and operational disruption. The combination of corporate espionage and ransomware means that even organizations that successfully restore encrypted systems must contend with the potential exposure of sensitive business data, client records, and intellectual property.
Key indicators of compromise associated with GOLD BLADE include unusual DLL sideloading activity, unexpected outbound connections to cloud storage services, and the presence of unfamiliar scheduled tasks executing PowerShell scripts. CyberSafe's threat intelligence team has integrated GOLD BLADE indicators into our monitoring platforms.
How to Defend Against GOLD BLADE
Given the elevated threat to Canadian organizations, CyberSafe recommends the following defensive measures:
- Conduct regular threat hunting exercises informed by the latest GOLD BLADE indicators of compromise
- Implement application whitelisting to prevent unauthorized DLL sideloading and script execution
- Monitor recruitment and HR email channels with advanced email security solutions capable of detecting weaponized documents
- Deploy endpoint detection and response (EDR) with behavioural analysis to identify living-off-the-land techniques
- Establish network-level monitoring for unusual data exfiltration patterns, particularly to cloud storage services
- Engage a managed detection and response (MDR) provider for continuous 24/7 monitoring of your environment
- Review and harden remote access infrastructure including VPN configurations and remote management tools