Sharpening the knife: strategic evolution of GOLD BLADE

Dec. 21, 2025, 6:50 p.m.

Description

GOLD BLADE, a threat group previously focused on cyberespionage, has evolved into a hybrid operation combining data theft with selective ransomware deployment. The group has refined its intrusion methods, shifting from traditional phishing to abusing recruitment platforms for delivering weaponized resumes. Their operations follow cycles of dormancy and sudden activity bursts, introducing new tradecraft in each wave. GOLD BLADE has modified its RedLoader infection chain multiple times, implemented a Bring Your Own Vulnerable Driver approach, and developed a custom ransomware called QWCrypt. The group's targeting has narrowed to focus primarily on Canadian organizations across various sectors. Their sophisticated tactics and continual refinement demonstrate a level of operational maturity uncommon among financially motivated actors.

External References

https://otx.alienvault.com/pulse/6933dbed9899a12d1dd9ae53
https://news.sophos.com/en-us/2025/12/05/sharpening-the-knife-gold-blades-strategic-evolution
Tags
ransomware
cyberespionage
byovd
redloader
canada
2025-12-06
qwcrypt
recruitment platforms
terminator
zemana driver

Date

  • Created: Dec. 6, 2025, 7:31 a.m.
  • Published: Dec. 6, 2025, 7:31 a.m.
  • Modified: Dec. 21, 2025, 6:50 p.m.

Indicators

  • 40506a308bfbb71e1f7d6a6473f4cc3eafa8d594232f0f23208494ec3649b69a
  • ac57fdf8297ec48e506f686c7f9ec90c1ccd7f828193eeb37f86483a43519617
  • 568352411deff640ba781ae55d98d657da02191d97e0466e6883b966dd1e77db
  • 88177fe4a455312cd94ae2ccbf274181dff1feea85a7288cb91683c788a10462
  • 7b9673bb17ec56662d15ab78f49a13c78c89f8bc88085d4f3dbb8dd9d9d68f43
  • d302836c7df9ce8ac68a06b53263e2c685971781a48ce56b3b5a579c5bba10cc
  • 62a42954a162e8fe43a976a2b7a43643d3ecf559e64b9d174f50698106783dff
  • 601157a51973814f9f60f269f5537451861029371615115dbf851d9e32d79096
  • 0b514f6bdf501d600db057a44b652a28889a28ee844ed2c9419f9b45273ad2cc
  • ef9a9a48b800e9fc9b10c652d00218ea1a068f000b935d49588898f048510e1e
  • 6755db8d62c605cb15cc7eca9d857601e0911dd839562027e3cb03f12d25ef4c
  • dcc85cc6b984961187ae364be8ee11541dee4f7a46bea3960c0218465fbc6b96
  • f5203c7ac07087fd5029d83141982f0a5e78f169cdc4ab9fc097cc0e2981d926
  • 712f3f8d43b57099d374bd35558da1b6fc48835efa4a55180377a2b22fd95cff
  • 261f78c7fe8162b36a55ad3848dbe4a203e3ea9493feb46988704ea5a01e356c
  • ab4695e5d5472af124ea69e0c1abb4c9726980b4c99c5da10ae2ba85f55bf1e4
  • b47447e55fc832b3b25150a9143a6bbd9f504559edb6dd1eb1a9890a221cda5f
  • 7c6636711618ef6c539dc6d4868c1c4e7090129e5b544b8e799088f11619c727
  • d46244bafae8cb2e38eaf22dd650250b2cb35cd9907d3952a28d6ed9c3b83e05
  • c330c918051e07c50f023e9bd5099dc34f81778c6d0d1a8ad245687b701f5278
  • a6c68b0d059d6db29d2c35740b77cd5dedee156ec7da4b2d61c863951b78b5b0
  • 567f8647be25cd2943a014d525923e9fa17a129cf48b0a9802f0180b13ed130c
  • 9ce8c43d7d8ddab18fde6ca3c0f23efb5491d460bffc8c0ea5fc2f61a6e7b8e4
  • a22676c6897da69c5f2c62b31ad5b0e26af706cbcb052bed60cd784e6b56d70f
  • 194.113.245.238
  • 162.33.178.61
  • 109.206.236.209
  • http://stars.medbury.com:18810
Download all indicators here!

Attack Patterns

  • QWCrypt
  • RedLoader
  • Terminator
  • GOLD BLADE

Additional Informations

  • Manufacturing
  • Retail (distribution)
  • Technologies
  • Services
  • Canada
  • United States of America