Cybersecurity researchers have identified a sophisticated new infection chain employed by the GOLD BLADE cybercriminal group, also known as RedCurl, Red Wolf, and Earth Kapre, targeting human resources personnel through weaponized resume documents.
The financially motivated threat actors have combined previously observed techniques to create a novel attack vector that bypasses traditional security measures.
Advanced Execution Chain Leverages WebDAV and DLL Sideloading
The attack begins with threat actors distributing well-crafted cover letter PDFs through legitimate job sites like Indeed.com.
These documents contain malicious links that download ZIP archives containing weaponized LNK files disguised as PDF documents.
Upon execution, the LNK file launches conhost.exe, which leverages WebDAV protocols to contact a CloudFlare domain at automatinghrservices[.]workers[.]dev.
The infection chain demonstrates significant technical sophistication by remotely hosting a renamed, legitimately signed Adobe ADNotificationManager.exe executable that masquerades as a resume file.
This benign executable then performs DLL sideloading of the malicious netutils.dll file, which serves as RedLoader’s stage 1 payload. This technique allows the malware to bypass security controls by using trusted, signed executables to load malicious code.
RedLoader stage 1 establishes persistence by creating a scheduled task named ‘BrowserQE\BrowserQE_<Base64-encoded computer name>’ and downloads a second-stage executable from live[.]airemoteplant[.]workers[.]dev.
The scheduled task utilizes PCALua.exe and conhost.exe to execute RedLoader stage 2, which maintains consistent SHA256 hashes across different victims despite using victim-specific executable names.
Mitigation Strategies and Security Implications
Security experts recommend implementing Software Restriction Policy Group Policy Objects to block LNK file execution from standard malware directories, including Downloads folders and AppData locations.
Organizations should also deploy behavioral detection systems capable of identifying suspicious conhost.exe child processes that deviate from normal system operations.
The evolution of GOLD BLADE’s tactics represents a concerning trend in cybercrime, where threat actors combine previously documented techniques to create novel attack vectors.
The group’s focus on HR personnel through job application impersonation demonstrates their understanding of social engineering principles and organizational vulnerabilities.
Sophos has released multiple countermeasures addressing this threat, including Evade_28k for blocking DLL sideloading attempts and Troj/Agent-BLKU for static detection of RedLoader stage 2.
The combination of WebDAV remote execution with legitimate executable sideloading, while individually observed in September 2024 and March 2025, respectively, represents an unprecedented fusion of techniques that security teams must actively monitor and defend against.
IOCs
| Indicator | Type | Context |
| automatinghrservices[.]workers[.]dev | Domain name | GOLD BLADE C2 server |
| quiet[.]msftlivecloudsrv[.]workers[.]dev | Domain name | GOLD BLADE C2 server |
| live[.]airemoteplant[.]workers[.]dev | Domain name | GOLD BLADE C2 server |
| netutils.dll | Filename | RedLoader stage 1 deployed by GOLD BLADE via remote DLL sideloading |
| d302836c7df9ce8ac68a06b53263e2c685971781a48ce56b3b5a579c5bba10cc | SHA256 hash | RedLoader stage 1 deployed by GOLD BLADE via remote DLL sideloading |
| f5203c7ac07087fd5029d83141982f0a5e78f169cdc4ab9fc097cc0e2981d926 | SHA256 hash | RedLoader stage 2 deployed by GOLD BLADE |
| 369acb06aac9492df4d174dbd31ebfb1e6e0c5f3 | SHA1 hash | RedLoader stage 2 deployed by GOLD BLADE |
