GOLD BLADE remote DLL sideloading attack deploys RedLoader – Sophos News

Sophos analysts are investigating a new infection chain for the GOLD BLADE cybercriminal group’s custom RedLoader malware, which initiates command and control (C2) communications. The threat actors leverage a LNK file to remotely execute and sideload a benign executable, which loads the RedLoader stage 1 payload that is hosted on GOLD BLADE infrastructure. The threat actors previously used these techniques individually: the use of WebDAV to execute remotely hosted DLLs was observed in September 2024, and the sideloading of a renamed ADNotificationManager.exe file was observed in March 2025. However, the combination observed in July 2025 represents a method for initial execution that has not been publicly reported.

Execution chain

Figure 1 illustrates the execution chain. The attack starts with a threat actor sending a well-crafted cover letter PDF to a target via a third-party job site such as ‘indeed.com’.

Figure 1: RedLoader execution chain. (Source: Sophos)

1. A malicious link in the PDF downloads a ZIP archive to the victim’s system. The archive contains a LNK file that masquerades as a PDF.
2. The LNK file executes conhost.exe.
3. This executable leverages WebDAV to contact a CloudFlare domain (automatinghrservices[.] workers[.]dev). A renamed signed version of the Adobe ADNotificationManager.exe executable masquerades as a resume and is remotely hosted on the attacker-controlled server (dav[.]automatinghrservices[.]workers[.]dev @ SSL\DavWWWRoot\CV-APP-2012-68907872.exe). This file resides in the same directory as the RedLoader stage 1 DLL file (netutils.dll).
4. Upon execution, the renamed benign executable remotely sideloads the malicious DLL (netutils.dll), marking the beginning of the RedLoader infection chain.
5. RedLoader stage 1 creates a scheduled task named ‘BrowserQE\BrowserQE_’ on the victim’s system and downloads a standalone executable for stage 2 from ‘live[.]airemoteplant[.]workers[.]dev’. The use of a standalone executable deviates from the activity observed in September 2024 and resembles the infection chain that Trend Micro reported in March 2024.
6. The scheduled task uses PCALua.exe and conhost.exe to execute RedLoader stage 2, a custom executable named ‘BrowserQE_.exe’. While this executable name is victim-specific, the SHA256 hash is consistent across all samples observed by Sophos analysts.
7. RedLoader stage 2 communicates with its C2 server.

Mitigations

The July activity shows how threat actors can combine prior techniques to modify their attack chain and bypass defenses. GOLD BLADE continues to rely heavily on LNK files that impersonate other file types. Organizations can mitigate this threat by deploying a Software Restriction Policy Group Policy Object that blocks LNK file execution from common directories leveraged by malware. These directories include ‘C:\Users\*\Downloads\*.lnk’, ‘%AppDataLocal%\*.lnk’, and ‘%AppDataRoaming%\*.lnk’.

The Sophos protections listed in Table 1 will address this activity.

Table 1: Sophos countermeasures covering this threat.

To mitigate exposure to this malware, organizations can use available controls to review and restrict access using the indicators listed in Table 2. The domains may contain malicious content, so consider the risks before opening them in a browser. A CSV file containing IoCs mentioned in is post is available from our Github repository.

Table 2: Indicators for this threat.