GOLD BLADE APT Hits Canadian Firms with BYOVD EDR Killer and Ransomware Delivered Via Fake Resumes
Ddos 
QWCrypt ransomware note | Image: Sophos
A notorious threat group has pivoted its focus to the Great White North, unleashing a sophisticated campaign that blends corporate espionage with the brute force of ransomware. A new report from Sophos reveals that GOLD BLADE, a threat actor also known as RedCurl or RedWolf, has been relentlessly targeting Canadian organizations with a refined arsenal of tools and tactics.
Between February 2024 and August 2025, analysts investigated nearly 40 intrusions linked to the group’s “STAC6565” campaign. The geographic concentration is striking: “This campaign reflects an unusually narrow geographic focus for the group, with almost 80% of the attacks targeting Canadian organizations”.
Historically known for stealing sensitive business secrets under a “hack-for-hire” model, GOLD BLADE has evolved into a hybrid threat. While espionage remains a core competency, the group has begun “selectively deploying QWCrypt ransomware” to monetize their intrusions directly.
This shift suggests a pragmatic, professionalized operation. “GOLD BLADE’s ability to cycle through delivery methods and refine its techniques over time reflects a professionalized operation that treats intrusions as a core service,” the report notes. Unlike typical ransomware gangs that spray-and-pray, GOLD BLADE’s deployments are calculated and targeted.
The group has abandoned traditional phishing emails in favor of a more insidious entry point: recruitment platforms. By abusing trusted services like Indeed, JazzHR, and ADP Workforce Now, the attackers deliver weaponized resumes directly to HR departments.
“This approach of submitting weaponized resumes through recruitment platforms may represent a notable evolution in HR-themed social engineering,” Sophos analysts observed.
Once a victim opens the malicious resume, a multi-stage infection chain delivers RedLoader, the group’s custom malware. This loader has undergone rapid iteration, evolving from simple DLL sideloading to complex chains involving WebDAV servers, Cloudflare Workers, and disguised system files.
To ensure their malware runs unhindered, GOLD BLADE employs a “Bring Your Own Vulnerable Driver” (BYOVD) attack. They deploy a customized version of the Terminator EDR killer tool alongside a signed—but vulnerable—Zemana AntiMalware driver.
This combination allows them to disable security software at the kernel level. In a brazen move, the attackers were seen modifying the Windows registry to “disable two core Windows security mechanisms: the vulnerable driver blocklist… and Hypervisor-Enforced Code Integrity”.
Despite their noisy tactics, GOLD BLADE remains an enigma. While some reports suggest they are a Russian-speaking group, definitive attribution remains elusive. What is clear is their persistence and adaptability. The group operates in a rhythm of “dormancy followed by sudden bursts of activity,” constantly refining their tradecraft to stay ahead of defenders.
Related Posts:
- GOLD BLADE Unleashes RedLoader with Novel Attack Chain: LNK Files + WebDAV + DLL Sideloading Evades Detection
- RedCurl APT Group: Cyber Espionage with Living-Off-the-Land Techniques
- Canadian banks were hacked and nearly 90,000 customer data were stolen
- Canadian Organizations Targeted by Chinese State-Sponsored Scanning
Donate