Cybersecurity researchers at Sophos are closely tracking a sophisticated new infection chain developed by the financially motivated cybercriminal group known as GOLD BLADE, also referred to in the threat landscape as RedCurl, Red Wolf, and Earth Kapre. GOLD BLADE has a known history of orchestrating commercial espionage campaigns since at least 2018.
At the center of their latest campaign is the group’s proprietary RedLoader malware, purpose-built to initiate command and control (C2) communications and facilitate continued intrusion activity within compromised environments.
Infection Chain and RedLoader Deployment
The GOLD BLADE operation typically begins with highly targeted phishing emails, which are crafted to deceive recipients in human resources or administrative roles. These emails often include malicious attachments disguised as job application materials such as resumes or CVs. When a victim opens the malicious file, a stealthy infection sequence is triggered.
A unique feature of this attack chain is the use of legitimately signed executables, often from trusted vendors like Adobe. These binaries are exploited for DLL side-loading, allowing the attackers to quietly deploy the RedLoader payload onto the victim’s system.
RedLoader Functional Analysis
Once installed, RedLoader collects sensitive host information and securely transmits it to infrastructure controlled by GOLD BLADE. The malware leverages a variety of evasion tactics, including:
- DLL side-loading to hide its presence.
- String obfuscation and dynamic function resolution to complicate analysis.
- Initiation of PowerShell scripts targeting reconnaissance, particularly of Active Directory environments.
- Use of native Windows utilities such as
pcalua.exe, exemplifying “living off the land” approaches designed to blend malicious activity with normal system operations.
Command and Control Communications
After establishing an initial foothold, RedLoader quickly connects to GOLD BLADE’s C2 servers. This communication channel supports remote command execution, data exfiltration, and the delivery of further malicious payloads, enabling GOLD BLADE operators to maintain persistent access and escalate attacks as needed.
Security Research Insights
Recent investigations—including those conducted by Sophos—underscore the advanced, multi-stage nature of the infection chain and the deliberate exploitation of trusted software to subvert endpoint defenses. Technical analysis of RedLoader samples has revealed sophisticated use of encryption (such as AES), rolling XOR obfuscation, and custom DLL management strategies that present significant challenges for detection and reverse engineering.
