Sharpening the knife: GOLD BLADE’s strategic evolution

Between February 2024 and August 2025, Sophos analysts investigated nearly 40 intrusions related to  STAC6565, a campaign the analysts assess with high confidence is associated with the GOLD BLADE threat group (also known as RedCurl, RedWolf, and Earth Kapre). This campaign reflects an unusually narrow geographic focus for the group, with almost 80% of the attacks targeting Canadian organizations. Once focused primarily on cyberespionage, GOLD BLADE has evolved its activity into a hybrid operation that blends data theft with selective ransomware deployment via a custom locker named QWCrypt.

GOLD BLADE continually refines its intrusion methods and has shifted from traditional phishing emails to abusing recruitment platforms to deliver weaponized resumes. Its operations follow a rhythm of dormancy followed by sudden bursts of activity, with each wave introducing newly developed or adapted tradecraft. The threat actors have modified the RedLoader infection chain multiple times to test different combinations of payload formats, execution mechanisms, and locations to host malicious files. They also implemented a Bring Your Own Vulnerable Driver (BYOVD) chain involving renamed Zemana drivers and modified versions of the Terminator endpoint detection and response (EDR) killer tool to evade detection.

The enigma known as GOLD BLADE

Since emerging in 2018, GOLD BLADE has been linked to attacks aimed at stealing sensitive business information, credentials, and emails. The targeted nature of its operations and the lack of a data leak site (DLS) suggest the group conducts tailored intrusions on behalf of clients under a “hack-for-hire” model. In April 2025, Sophos analysts observed the group selectively deploying QWCrypt ransomware, which was first reported by Bitdefender the previous month. Sophos analysts have continued to see GOLD BLADE deploy the ransomware against select victims, indicating the threat actors may be independently monetizing intrusions in addition to conducting espionage for clients.

GOLD BLADE’s ability to cycle through delivery methods and refine its techniques over time reflects a professionalized operation that treats intrusions as a core service requiring routine updates to maintain effectiveness. However, the group does not neatly fit into a conventional threat category. While it is financially motivated, GOLD BLADE’s discreet extortion strategy, long-running campaigns, and evolving tradecraft differentiate it from many other cybercriminal groups. At the same time, there is no evidence of the group being state-sponsored or politically motivated. There is also little known about where the threat actors are based. Though some third-parties report that GOLD BLADE is a Russian-speaking group, Sophos analysts have not found sufficient evidence to confirm or deny that assessment at this time.

Attack tempo and victimology

Sophos analysts observed notable iterations of GOLD BLADE’s RedLoader delivery chain in September 2024, March 2025, and July 2025, each of which was preceded by one to two months of inactivity (see Figure 1). For example, after the March spike in incidents and the QWCrypt attack in April, the group appeared to go on a hiatus, only to resume activity in July with novel combinations of prior techniques. Although this pattern is based solely on Sophos visibility, it likely reflects development time for new attack chains and responses to external reporting of the group’s methods. Group-IB reported a similar pattern in 2021, describing the group hibernating for seven months before conducting a wave of attacks using improved tactics.

Figure 1: Observed GOLD BLADE activity from August 2024 through August 2025

Analysis of STAC6565 victimology suggests that GOLD BLADE has narrowed its targeting to focus almost exclusively on organizations based in North America. Nearly 80% of GOLD BLADE attacks linked to the STAC6565 campaign targeted Canada-based organizations. The U.S. ranked second with 14% (see Figure 2).

Figure 2: GOLD BLADE targeting by country from February 2024 through August 2025

Industry-specific targeting was much less concentrated and spanned over a dozen sectors. Services organizations were targeted in 21% of the incidents, followed by manufacturing, retail, and technology (see Figure 3).

Figure 3: GOLD BLADE targeting by sector from February 2024 through August 2025

GOLD BLADE’s activity appears to be targeted rather than opportunistic. Based on the tailored resume filenames used in their phishing lures and repeated attempts to compromise the same organizations over weeks or months, the threat actors likely conduct passive open-source intelligence (OSINT) to identify desirable targets or to collect information on organizations specified by their clients.

Initial access

GOLD BLADE historically targeted human resources (HR) personnel by sending well-crafted spearphishing emails containing malicious documents disguised as resumes, curricula vitae (CVs), or cover letters from purported job applicants. Since at least September 2024, the threat actors have made a tactical shift from phishing emails to abusing third-party recruitment platforms such as Indeed, JazzHR, and ADP WorkforceNow to distribute their malicious payloads.

This approach of submitting weaponized resumes through recruitment platforms may represent a notable evolution in HR-themed social engineering. Many threat groups have delivered malware via job-application lures by communicating with HR staff via email, LinkedIn, or Indeed to drive them to external phishing sites. However, GOLD BLADE skips this interaction step and relies on recruiters’ trust in the applicant-tracking system. As recruitment platforms enable HR staff to review all incoming resumes, hosting payloads on these platforms and delivering them via disposable email domains not only increases likelihood that the documents will be opened but also evades detection by email-based protections.

The initial lure used in the STAC6565 campaign is often a resume submitted as a PDF to the target’s external recruitment portal (see Figure 4). These PDFs are either weaponized directly or link to externally hosted content.

Figure 4: Fake resume uploaded to the JazzHR external recruitment platform

In the April QWCrypt incident, an HR employee’s attempt to view the PDF resulted in a fake Indeed Safe Resume Share Service page displaying a “Resume does not open” message. Hovering the cursor over the “View” button revealed the lure domain. When clicked, the link redirected the employee to a fake HR services site to view the resume (see Figure 5). In August 2025, Sophos observed the threat actors reusing this Safe Resume Share Service template for a LinkedIn-themed lure.

Figure 5: Fake Indeed (left) and LinkedIn (right) Safe Resume Share Service pages instructing the user to click on an external link to view the submitted resume

RedLoader delivery chain

When downloaded, the weaponized resume launches a multi-stage infection chain that delivers GOLD BLADE’s custom RedLoader malware. Sophos analysts track the RedLoader delivery chain in three distinct stages: initial execution, secondary payload deployment, and full malware installation.

Sophos first observed RedLoader being deployed in February 2024 in an attack chain that overlapped with Trend Micro observations reported the following month. However, a RedLoader infection in September 2024 introduced an alternative delivery chain that continued to evolve over the following year. By July 2025, Sophos analysts observed GOLD BLADE combining prior methods into a novel, unreported delivery chain (see Figure 6).

Figure 6: Progressive iterations of the RedLoader delivery chain from September 2024 to July 2025

Stage 1: Initial execution

The first stage of the delivery chain begins with the weaponized resume PDF dropping a .zip file, followed by one of three methods to deliver the initial RedLoader payload as a DLL:

• Method 1 (September 2024): The fake resume drops a ZIP archive containing a .lnk file disguised as a PDF. The .lnk file uses rundll32.exe to retrieve the initial RedLoader DLL from a WebDAV server hosted behind a Cloudflare Workers domain. The DLL is executed in memory via a “rundll32.exe <GUID>.dll,CplApplet” command. By fetching payloads over WebDAV from a domain hosted under Cloudflare Workers, the threat actors limit disk artifacts while also hiding the origin of the payload.
• Method 2 (March 2025, April 2025): The fake resume drops a ZIP archive containing an .iso or .img file. When clicked, the .iso or .img file is auto mounted as a virtual drive that contains a renamed copy of the legitimate ADNotificationManager.exe file (e.g., CV Applicant <GUID>.exe, CV Applicant ID <GUID>.scr). Execution of the legitimate file sideloads the initial RedLoader DLL (srvcli.dll or netutils.dll).
• Method 3 (July 2025): This method combines methods 1 and 2. The fake resume drops a ZIP archive containing a .lnk file disguised as a PDF. The .lnk file uses rundll32.exe to retrieve a renamed copy of ADNotificationManager.exe (CV-APP-<GUID>.exe) from a WebDAV server hosted behind a Cloudflare Workers domain. Execution of the legitimate file remotely sideloads the initial RedLoader DLL (srvcli.dll or netutils.dll) from the same WebDAV path. While GOLD BLADE previously assigned a unique subdomain for each victim, multiple July 2025 incidents reused the same workers[.]dev domain (e.g., automatinghrservices[.]workers[.]dev).

When executed, the initial RedLoader DLL opens a decoy Indeed login page using a distinctive User-Agent string previously attributed to GOLD BLADE (Mozilla/5.0 (Windows NT; Windows NT 10.0;) WindowsPowerShell/5.1.20134.790).

Stage 2: Secondary payload deployment

The first-stage DLL connects to an external C2 server before creating a scheduled task to download and execute the second-stage payload, which is staged in the C:\Users\<username>\AppData\Roaming\ directory. The scheduled task and filename of the second-stage malware often use a browser-themed naming pattern (e.g., BrowserEngineUpdate, BrowserSMP, BrowserQE) followed by a Base64-encoded computer name.

While GOLD BLADE’s use of the Program Compatibility Assistant (pcalua.exe) living-off-the-land binary (LOLBin) for payload execution has remained the same, the format of both the second- and third-stage payloads shifted in April 2025 from DLLs to standalone executables.

• September 2024 and March 2025: The scheduled task launches pcalua.exe, which invokes rundll32.exe to deliver the second-stage payload as a DLL.
• April 2025 and July 2025: The scheduled task launches pcalua.exe and a conhost.exe –headless argument to deliver the second-stage payload as a standalone executable. While the executable name is victim-specific, all July 2025 samples observed by Sophos analysts share the same SHA256 hash (f5203c7ac07087fd5029d83141982f0a5e78f169cdc4ab9fc097cc0e2981d926).

Stage 3: Full malware installation

Following deployment of the secondary payload, the attackers appear to selectively choose which compromised systems receive the final RedLoader payload. In a July incident, Sophos analysts observed the second-stage payload beacon to the C2 infrastructure without proceeding to stage three, while other victims compromised during the same timeframe received the third-stage payload.

After connecting to a different external C2 server than the initial RedLoader DLL, the second-stage malware creates a new scheduled task to download and execute the final RedLoader payload, which is also typically staged in the C:/Users/<username>/AppData/Roaming directory. The scheduled task name format is a string of words (e.g., HybridDriveCacheRebalance, RegisterDevicePolicyChange, LicenseAcquisition, FODCleanupTask) followed by a pseudo-random alphanumeric substring from the final payload filename. As in other files, the strings used in both the third-stage malware filename and scheduled task name vary across victims, suggesting GOLD BLADE may be using victim or build-specific IDs to track deployments.

• September 2024 and March 2025: The third-stage payload is delivered as a DLL alongside a malicious .dat file. The scheduled task executes the payload by running a “rundll32.exe <GUID>.dll,CPlApplet” command or by launching pcalua.exe, which invokes rundll32.exe to load the DLL.
• April 2025 and July 2025: The third-stage payload is delivered as a standalone executable alongside a malicious .dat file and a renamed 7-Zip file. The scheduled task executes the payload by launching pcalua.exe.

The payload parses the malicious .dat file and checks internet connectivity. It then connects to another attacker-controlled C2 server to create and run a .bat script that automates system discovery. The script unpacks Sysinternals AD Explorer and runs commands to gather details such as host information, disks, processes, and installed antivirus (AV) products. The script compresses the results into encrypted, password-protected archives via 7-Zip and transfers the data to an attacker-controlled WebDAV server.

Command and control (C2)

In the STAC6565 campaign, Sophos analysts observed GOLD BLADE deploying RPivot for C2 communications. RPivot is an open-source reverse proxy that tunnels traffic into internal networks via SOCKS4. The threat actors download the SOCKS proxy as a Python script named sra.py or osr.py. A .bat file then executes the script to establish a connection to remote IP address 109[.]206[.]236[.]209, with the ports differing across incidents.

In one QWCrypt incident, the attackers also used the Chisel SOCKS5 tunneling tool. Leveraging the open-source Non-Sucking Service Manager (NSSM) utility that enables executables to run as system services, the threat actors created two distinct Windows service entries pointing to the same Chisel binary (MSAProfileNotificationHandler.exe). Each service was configured as a SOCKS client to attacker-controlled servers (e.g., stars[.]medbury[.]com:18810, 194[.]113[.]245[.]238:8810). In a likely effort to rotate C2 infrastructure or create redundant execution paths, the attackers copied the Chisel binary to a new binary name (SensorPerformanceEvents.exe) several days later and started it to provision a SOCKS tunnel to a different C2 server (162[.]33[.]178[.]61:18810).

Defense evasion

In several STAC6565 incidents, Sophos analysts observed the threat actors using a customized Terminator sample and a signed Zemana AntiMalware driver to attempt to disable extended detection and response (XDR) solutions. Terminator is an endpoint detection and response (EDR) killer tool that uses a Bring Your Own Vulnerable Driver (BYOVD) approach and loads a legitimately signed but vulnerable Zemana driver to kill protected processes, unload drivers, and modify kernel memory.

Sophos analysis indicates the threat actors repurposed code from an open-source version of Spyboy’s Terminator posted to GitHub and modified it to obfuscate all the strings using a custom XOR routine (see Figure 7). This XOR implementation has been used in RedLoader samples to decode and resolve the bcrypt functions that use AES to decrypt other API calls. Third parties such as eSentire and Huntress reported similar observations. However, Sophos analysis revealed there were no AES-encrypted strings in the Terminator samples.

Figure 7: Custom XOR algorithm in a Terminator sample

One unusual discovery was a full Program Database (PDB) path found in GOLD BLADE’s Terminator samples:

E:\SpecOp\js!_LOCKERS!_TOOLS\13_KILLAV\DISTRIB\WIN 2012 - WIN 2022 (Win10 - Win11)\Terminator_v1.1 (WITHOUT INSTALL)\x64\Release\Terminator.pdb

Cautious threat actors typically redact these paths before deployment to avoid leaking metadata that aids attribution or reverse engineering. While the PDB path could be a deliberate false flag, its presence more likely reflects a lapse in GOLD BLADE’s operational security. Analyzing the path provides a glimpse into GOLD BLADE’s development practices and reveals a structured offensive toolkit oriented around ransomware operations. The path also suggests that the group maintains multiple builds that contain different packages (e.g., with versus without installer) and are tailored to specific operating system versions.

In some STAC6565 incidents, Sophos analysts observed the threat actors drop the Terminator (term.exe) and driver (term.sys) files into C:\ProgramData. When the Terminator file is executed, it writes and installs the vulnerable driver (term.sys), which is then loaded via a kernel-mode driver service (TRM or SfTerm). The threat actors then delete the service and files, likely to evade detections that monitor persistent services (see Figure 8). In one July QWCrypt incident, the attackers deployed multiple Terminator binaries under this default naming schema (term*.exe, trm*.exe) to try to bypass Sophos detections. The binary hashes were unique for each variant, suggesting repacking or obfuscation.

Figure 8: Terminator executable code includes a search for a vulnerable driver named term.sys

The threat actors went a step further in the April QWCrypt incident and renamed the loader and driver to lmhost.exe and lmhost.sys before distributing them via SMB shares to all servers in the environment. The attackers then modified the registry to disable two core Windows security mechanisms: the vulnerable driver blocklist, which prevents loading of known-bad drivers, and Hypervisor-Enforced Code Integrity, which defends against kernel-level tampering. The following are the modified registry keys:

• HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x0 /f
• HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity /v Enabled /t REG_DWORD /d 0x0 /f

After making those changes, the threat actors copied the driver to the system directory and installed it as a kernel-mode service (LMHost) set to start automatically at boot. They repeated the same method to deploy the driver (renamed wmlib.sys) and Terminator tool (renamed wmlib.exe) across all available endpoints.

QWCrypt ransomware deployment

In most observed STAC6565 incidents, Sophos detections and response teams alerted on and mitigated the attacks before ransomware deployment. However, Sophos analysts observed QWCrypt ransomware deployed once in April and twice in July. In the April incident, the threat actors manually browsed and collected sensitive files, then paused activity for over five days before deploying the locker. This delay may suggest the attackers turned to ransomware after trying to monetize the data or failing to secure a buyer.

The QWCrypt ransomware launcher and deployment scripts are tailored to the target environment, with the script names containing a victim-specific ID. In the April incident, the ransomware and associated scripts were delivered in an encrypted 7-Zip archive (<victim ID>.tmp) and staged on endpoints across the environment via automated SMB transfers. After staging, the threat actors used local admin accounts and Impacket remote execution to run the launcher script (<victim ID>.bat) that began the ransomware deployment chain.

The launcher script ensured the Terminator service (WMLib) was active before extracting the ransomware payload (qwc_<victim ID>.exe) and associated files from the encrypted 7-Zip archive. It then started the main script (qwc_<victim ID>_1.bat) responsible for executing the ransomware. Like the launcher script, the main script confirmed the Terminator service was running, likely to reduce the risk of active protections causing the script to fail. It created a mutex file to prevent concurrent runs and wrote extensive discovery logs (tasklist, WMIC) to a temp directory that was exfiltrated via curl.exe to the attacker’s C2 server (local.chronotypelabs . workers . dev).

The qwc_<victim ID>_1.bat script then disabled recovery via the ‘bcdedit /set {default} recoveryenabled no’ command and extracted the ransomware payload (qwc_<victim ID>.exe) from the archive. The script attempted to execute the ransomware on endpoint devices across the network via the ‘qwc_537aab1c.exe -v –key <key> –nosd’ command. However, Sophos CryptoGuard blocked the attack on protected systems, resulting in only a few impacted hosts that were not managed by Sophos. The attempted encryption of endpoints differs from previous reporting of the threat group targeting only hypervisors for encryption. The attackers then tried to manually execute the binary on the organization’s hypervisors, using an option (–hv) to specifically target the locally running virtual machines. While only a few flags were used in the incident, QWCrypt windows cryptor offers numerous usage options (see Figure 9). Finally, the script runs a cleanup .bat script (qwc_<victim ID>_3.bat), which deletes existing shadow copies and every PowerShell console history file (ConsoleHost_history.txt) to hinder forensic recovery.

Figure 9: QWCrypt windows cryptor usage flags

The binary appends encrypted files with a .qwCrypt extension and drops a ransom note (!!!how_to_unlock_qwCrypt_files.txt) in every encrypted folder (see Figure 10). The ransom note observed by Sophos analysts in the April incident appears to be a condensed version of the note shown in the appendix of the Bitdefender analysis. While it contains the core double-extortion elements, it omits longer persuasive blocks like the detailed insurance-negotiation text reminiscent of HardBit ransom notes. Linguistically, several phrases in both QWCrypt notes are near-verbatim matches to well-known LockBit templates (e.g., “your data is stolen and encrypted,” “do not delete files,” “a paid training lesson for your admins”). This overlap does not necessarily indicate a connection between GOLD BLADE and LockBit threat actors. It is more likely that GOLD BLADE is reusing language from an established ransomware family to pressure victims.

Figure 10: QWCrypt ransomware note

Recommendations

GOLD BLADE’s abuse of recruitment platforms, cycles of dormancy and bursts, and continual refinement of delivery methods demonstrate a level of operational maturity not typically associated with financially motivated actors. In addition to leveraging various LOLBins, the group maintains a comprehensive and well-organized attack toolkit, including modified versions of open-source tooling and custom binaries to facilitate a multi-stage malware delivery chain. GOLD BLADE’s introduction of a custom locker for encryption and ability to pivot between espionage and ransomware further points to the group’s continual evolution and the need for organizations to bolster their defenses.

Many attacks can be prevented by training employees to recognize phishing attempts and potentially malicious resumes, and advising them to never bypass errors by downloading resumes from external links. It is also good practice to maintain backups of critical business data offline or in an isolated environment to limit the impact of an attack and facilitate recovery. Additionally, the following technical approaches can be effective against known GOLD BLADE tactics:

• Harden recruitment workflows – Consider routing attachments from recruitment platforms through email and security gateways for inspection before HR review, or automatically quarantining resumes containing embedded links, macros, or redirects. Organizations can also use secure document viewers that open resumes in a sandboxed browser or PDF-only viewer.

• Prioritize endpoint coverage and monitoring – Ensure that every endpoint (server or workstation) is centrally managed and kept up to date with protections. Comprehensive logging should be a baseline requirement for modern environments to provide visibility of impacted data, which is important not only for remediation but also for responding to regulatory and legal obligations.
• Implement a managed detection and response (MDR) solution – While having detection and blocking tools in place is critical, detection without action is less effective. Skilled analysts must be actively monitoring, investigating, and responding to alerts to ensure full coverage.

Detections

SophosLabs has developed the detections in Table 1 to detect activity associated with this threat.

Table 1: Sophos detections associated with this threat

Threat indicators

The threat indicators in Table 2 can be used to detect activity related to this threat. Note that IP addresses can be reallocated. The domains, URLs, and IP addresses may contain malicious content, so consider the risks before opening them in a browser.

Table 2: Indicators for this threat