GOLD BLADE remote DLL sideloading attack deploys RedLoader

July 31, 2025, 3:23 p.m.

Description

A new infection chain for GOLD BLADE's RedLoader malware has been identified, combining previously separate techniques. The attack begins with a malicious PDF link, leading to a ZIP archive containing a LNK file masquerading as a PDF. This file executes conhost.exe, which uses WebDAV to contact a CloudFlare domain and remotely sideload a malicious DLL. The infection progresses through two stages of RedLoader, ultimately establishing command and control communication. This updated method, observed in July 2025, demonstrates the threat actors' ability to adapt and bypass defenses by combining known techniques in novel ways.

External References

https://news.sophos.com/en-us/2025/07/29/gold-blade-remote-dll-sideloading-attack-deploys-redloader/
https://otx.alienvault.com/pulse/688b85368e76ec4d637aee15
Tags
dll sideloading
webdav
redloader
2025-07-31

Date

  • Created: July 31, 2025, 3:01 p.m.
  • Published: July 31, 2025, 3:01 p.m.
  • Modified: July 31, 2025, 3:23 p.m.

Indicators

  • f5203c7ac07087fd5029d83141982f0a5e78f169cdc4ab9fc097cc0e2981d926
  • d302836c7df9ce8ac68a06b53263e2c685971781a48ce56b3b5a579c5bba10cc
  • live.airemoteplant.workers.dev
  • quiet.msftlivecloudsrv.workers.dev
  • automatinghrservices.workers.dev
Download all indicators here!

Attack Patterns

  • RedLoader
  • GOLD BLADE