Sophos analysts are investigating a brand new an infection chain for the GOLD BLADE<\/a> cybercriminal group\u2019s customized RedLoader malware, which initiates command and management (C2) communications. The menace actors leverage a LNK file to remotely execute and sideload a benign executable, which masses the RedLoader stage 1 payload that’s hosted on GOLD BLADE infrastructure. The menace actors beforehand used these methods individually: using WebDAV to execute remotely hosted DLLs was noticed in September 2024, and the sideloading of a renamed ADNotificationManager.exe file was noticed in March 2025. Nonetheless, the mixture noticed in July 2025 represents a technique for preliminary execution that has not been publicly reported.<\/p>\n

Execution chain<\/h3>\n
Determine 1 illustrates the execution chain. The assault begins with a menace actor sending a well-crafted cowl letter PDF to a goal by way of a third-party job web site akin to \u2018certainly.com\u2019.<\/p>\n
$\"\"$ <\/a><\/p>\n
Determine 1: The noticed RedLoader execution chain<\/em><\/p>\n
\n
A malicious hyperlink within the PDF downloads a ZIP archive to the sufferer\u2019s system. The archive incorporates a LNK file that masquerades as a PDF.<\/li>\n
The LNK file executes conhost.exe.<\/li>\n
This executable leverages WebDAV to contact a CloudFlare area (automatinghrservices[.] staff[.]dev). A renamed signed model of the Adobe ADNotificationManager.exe executable masquerades as a resume and is remotely hosted on the attacker-controlled server (dav[.]automatinghrservices[.]staff[.]dev @ SSLDavWWWRootCV-APP-2012-68907872.exe). This file resides in the identical listing because the RedLoader stage 1 DLL file (netutils.dll).<\/li>\n
Upon execution, the renamed benign executable remotely sideloads the malicious DLL (netutils.dll), marking the start of the RedLoader an infection chain.<\/li>\n
RedLoader stage 1 creates a scheduled activity named \u2018BrowserQEBrowserQE_<\/em>\u2019 on the sufferer\u2019s system and downloads a standalone executable for stage 2 from \u2018reside[.]airemoteplant[.]staff[.]dev\u2019. The usage of a standalone executable deviates from the exercise noticed in September 2024 and resembles the an infection chain that Development Micro reported<\/a> in March 2024.<\/li>\n
The scheduled activity makes use of PCALua.exe and conhost.exe to execute RedLoader stage 2, a customized executable named \u2018BrowserQE_<\/em>.exe\u2019. Whereas this executable identify is victim-specific, the SHA256 hash is constant throughout all samples noticed by Sophos analysts.<\/li>\n
RedLoader stage 2 communicates with its C2 server.<\/li>\n<\/ol>\nMitigations<\/h3>\n
The July exercise reveals how menace actors can mix prior methods to switch their assault chain and bypass defenses. GOLD BLADE continues to rely closely on LNK recordsdata that impersonate different file varieties. Organizations can mitigate this menace by deploying a Software program Restriction Coverage Group Coverage Object that blocks<\/a> LNK file execution from frequent directories leveraged by malware. These directories embrace \u2018C:CustomersDownloads.lnk\u2019, \u2018%AppDataLocal%.lnk\u2019, and \u2018%AppDataRoaming%.lnk\u2019.<\/p>\n
The Sophos protections listed in Desk 1 will tackle this exercise.<\/p>\n\n\n\n\n\n\n\n
Title<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n
Evade_28k<\/td>\n Blocks particular variations of adnotificationmanager.exe no matter
DLL identify from DLL sideloading<\/td>\n<\/tr>\n
WIN-DET-EVADE-HEADLESS-CONHOST-EXECUTION-1<\/td>\n Identifies suspicious youngster processes of conhost.exe the place the
course of path just isn’t \u2018Windowssplwow64.exe\u2019,
\u2018WindowsSystem32WerFault.exe\u2019, or
\u2018WindowsSystem32conhost.exe\u2019<\/td>\n<\/tr>\n
Troj\/Agent-BLKU<\/td>\n Static detection for RedLoader stage 2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Desk 1: Sophos countermeasures overlaying this menace.<\/em><\/p>\n
To mitigate publicity to this malware, organizations can use obtainable controls to assessment and prohibit entry utilizing the indications listed in Desk 2. The domains might comprise malicious content material, so contemplate the dangers earlier than opening them in a browser. A CSV file containing IoCs talked about in is put up is obtainable<\/a> from our Github repository.<\/p>\n\n\n\n\n\n\n\n\n\n\n
Indicator<\/strong><\/td>\n Sort<\/strong><\/td>\n Context<\/strong><\/td>\n<\/tr>\n
automatinghrservices[.]staff[.]dev<\/td>\n Area identify<\/td>\n GOLD BLADE C2 server<\/td>\n<\/tr>\n
quiet[.]msftlivecloudsrv[.]staff[.]dev<\/td>\n Area identify<\/td>\n GOLD BLADE C2 server<\/td>\n<\/tr>\n
reside[.]airemoteplant[.]staff[.]dev<\/td>\n Area identify<\/td>\n GOLD BLADE C2 server<\/td>\n<\/tr>\n
netutils.dll<\/td>\n Filename<\/td>\n RedLoader stage 1 deployed by GOLD BLADE by way of distant DLL sideloading<\/td>\n<\/tr>\n
d302836c7df9ce8ac68a06b53263e2c685971781a48ce56b3b5a579c5bba10cc<\/td>\n SHA256 hash<\/td>\n RedLoader stage 1 deployed by GOLD BLADE by way of distant DLL sideloading<\/td>\n<\/tr>\n
f5203c7ac07087fd5029d83141982f0a5e78f169cdc4ab9fc097cc0e2981d926<\/td>\n SHA256 hash<\/td>\n RedLoader stage 2 deployed by GOLD BLADE<\/td>\n<\/tr>\n
369acb06aac9492df4d174dbd31ebfb1e6e0c5f3<\/td>\n SHA1 hash<\/td>\n RedLoader stage 2 deployed by GOLD BLADE<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Desk 2: Indicators for this menace.<\/em><\/p>\n<\/p><\/div>\n\n","protected":false},"excerpt":{"rendered":"
Sophos analysts are investigating a brand new an infection chain for the GOLD BLADE cybercriminal group\u2019s customized RedLoader malware, which initiates command and management (C2) communications. The menace actors leverage a LNK file to remotely execute and sideload a benign executable, which masses the RedLoader stage 1 payload that’s hosted on GOLD BLADE infrastructure. The […]<\/p>\n","protected":false},"author":2,"featured_media":5096,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[717,4380,1535,4381,4379,121,4382,1151,1947,120],"class_list":["post-5094","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-attack","tag-blade","tag-deploys","tag-dll","tag-gold","tag-news","tag-redloader","tag-remote","tag-sideloading","tag-sophos"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/5094","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5094"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/5094\/revisions"}],"predecessor-version":[{"id":5095,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/5094\/revisions\/5095"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/5096"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5094"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5094"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5094"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}