GOLD BLADE remote DLL sideloading attack deploys RedLoader

    Date: 07/31/2025

    Severity: Medium

    Summary

    Analysts are examining a new infection chain linked to the GOLD BLADE cybercriminal group’s custom RedLoader malware, which establishes command and control (C2) communications. The attackers use a LNK file to remotely execute and sideload a benign executable, which then loads the stage 1 RedLoader payload hosted on GOLD BLADE infrastructure. While these techniques were previously used separately—WebDAV-based remote DLL execution in September 2024 and sideloading a renamed ADNotificationManager.exe in March 2025—the combined use observed in July 2025 marks a novel initial execution method not previously disclosed publicly.

    Indicators of Compromise (IOC) List

    URL/Domain

    automatinghrservices.workers.dev

    quiet.msftlivecloudsrv.workers.dev

    live.airemoteplant.workers.dev

    Hash

    369acb06aac9492df4d174dbd31ebfb1e6e0c5f3
    d302836c7df9ce8ac68a06b53263e2c685971781a48ce56b3b5a579c5bba10cc
    
    f5203c7ac07087fd5029d83141982f0a5e78f169cdc4ab9fc097cc0e2981d926

    Filename

    netutils.dll

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "quiet.msftlivecloudsrv.workers.dev" or siteurl like "quiet.msftlivecloudsrv.workers.dev" or url like "quiet.msftlivecloudsrv.workers.dev" or domainname like "automatinghrservices.workers.dev" or siteurl like "automatinghrservices.workers.dev" or url like "automatinghrservices.workers.dev" or domainname like "live.airemoteplant.workers.dev" or siteurl like "live.airemoteplant.workers.dev" or url like "live.airemoteplant.workers.dev"

    Detection Query 2 : 

    sha256hash IN ("d302836c7df9ce8ac68a06b53263e2c685971781a48ce56b3b5a579c5bba10cc","f5203c7ac07087fd5029d83141982f0a5e78f169cdc4ab9fc097cc0e2981d926")

    Detection Query 3 : 

    hash IN ("369acb06aac9492df4d174dbd31ebfb1e6e0c5f3")

    Detection Query 4 :

    (resourcename = "Windows Security"  AND eventtype = "4663") AND filename like “netutils.dll”

    Detection Query 5 :

    technologygroup = "EDR" AND filename like “netutils.dll”

    Reference:    

    https://news.sophos.com/en-us/2025/07/29/gold-blade-remote-dll-sideloading-attack-deploys-redloader/            


    Tags

    MalwareThreat ActorGOLD BLADERedLoaderLNK

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags