GOLD BLADE Remote DLL Sideloading Attack Deploys RedLoader

    Monday, August 4, 2025 In: Threat Research Print

    Date: 08/04/2025

    Severity: High

    Summary

    We are analyzing a newly identified infection chain linked to the GOLD BLADE cybercriminal group and their custom RedLoader malware, which establishes command and control (C2) communications. In this campaign, the attackers use a LNK file to remotely execute and sideload a legitimate executable, which in turn loads the stage 1 RedLoader payload hosted on GOLD BLADE infrastructure. While the group has previously used these techniques separately—remote DLL execution via WebDAV was seen in September 2024, and sideloading a renamed ADNotificationManager.exe was noted in March 2025—the combination of both methods, observed in July 2025, marks a novel approach to initial execution that has not been publicly documented before.

    Indicators of Compromise (IOC) List 

    Domains\URLs : 

    automatinghrservices.workers.dev

    quiet.msftlivecloudsrv.workers.dev

    live.airemoteplant.workers.dev

    Filename : 

    netutils.dll

    Hash : 

    d302836c7df9ce8ac68a06b53263e2c685971781a48ce56b3b5a579c5bba10cc

    f5203c7ac07087fd5029d83141982f0a5e78f169cdc4ab9fc097cc0e2981d926

    369acb06aac9492df4d174dbd31ebfb1e6e0c5f3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs:

    domainname like "automatinghrservices.workers.dev" or url like "automatinghrservices.workers.dev" or siteurl like "automatinghrservices.workers.dev" or domainname like "quiet.msftlivecloudsrv.workers.dev" or url like "quiet.msftlivecloudsrv.workers.dev" or siteurl like "quiet.msftlivecloudsrv.workers.dev" or domainname like "live.airemoteplant.workers.dev" or url like "live.airemoteplant.workers.dev" or siteurl like "live.airemoteplant.workers.dev"

    Filename : 

    resourcename = "Windows Security"  AND eventtype = "4663" and objectname like "netutils.dll" 

    Hash 1 : 

    sha256hash IN ("d302836c7df9ce8ac68a06b53263e2c685971781a48ce56b3b5a579c5bba10cc","f5203c7ac07087fd5029d83141982f0a5e78f169cdc4ab9fc097cc0e2981d926")

    Hash 2 :

    sha1hash IN ("369acb06aac9492df4d174dbd31ebfb1e6e0c5f3")

    Reference:

    https://news.sophos.com/en-us/2025/07/29/gold-blade-remote-dll-sideloading-attack-deploys-redloader/


    Tags

    MalwareGOLD BLADERedLoader

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.