Threat Research

Sharpening the knife: GOLD BLADE’s strategic evolution

Sophos
Sharpening the knife: GOLD BLADE’s strategic evolution

Sophos linked nearly 40 STAC6565 intrusions (Feb 2024–Aug 2025) to the GOLD BLADE group, which has evolved from espionage into a hybrid operation that mixes targeted data theft with selective ransomware deployment using a custom locker called QWCrypt. The group refines RedLoader delivery chains, abuses recruitment platforms to deliver weaponized resumes, leverages BYOVD drivers and modified Terminator tools for EDR evasion, and uses RPivot/Chisel for tunneled C2. #GOLD_BLADE #QWCrypt

Keypoints

  • Sophos observed nearly 40 STAC6565 intrusions attributed with high confidence to GOLD BLADE between February 2024 and August 2025, with ~80% of incidents targeting Canadian organizations and selective QWCrypt deployments in April and July 2025.
  • Initial access shifted from spearphishing emails to abuse of recruitment platforms (Indeed, JazzHR, ADP WorkforceNow) by submitting weaponized resumes or PDFs that host or link to malicious payloads.
  • RedLoader is delivered via a multi-stage chain (initial DLL via WebDAV/.lnk+rundll32, ISO/IMG sideloading of renamed ADNotificationManager.exe, and combined methods), with staged second/third stages launched by scheduled tasks and pcalua.exe/conhost variations.
  • GOLD BLADE used BYOVD techniques with signed Zemana drivers and modified Terminator EDR-killer tooling, renaming loaders/drivers and modifying registry keys to disable VulnerableDriverBlocklist and Hypervisor-Enforced Code Integrity to evade defenses.
  • C2 and tunneling employed RPivot (Python SOCKS script) and Chisel (run via NSSM-created Windows services), and data exfiltration and staging leveraged Cloudflare Workers/WebDAV endpoints and automated SMB transfers.
  • The group exhibits a professional hack-for-hire posture: cyclical bursts of activity, continuous refinement of tradecraft, victim-specific artifacts and IDs, and a blend of espionage and opportunistic monetization via QWCrypt.

MITRE Techniques

  • [T1566 ] Phishing (Spearphishing Attachment) – HR-targeted spearphishing with malicious resumes and PDFs used as the initial lure (‘historically targeted human resources (HR) personnel by sending well-crafted spearphishing emails containing malicious documents disguised as resumes, curricula vitae (CVs), or cover letters’).
  • [T1204 ] User Execution – Malicious document and link interaction required for initial execution (‘the initial lure used in the STAC6565 campaign is often a resume submitted as a PDF… These PDFs are either weaponized directly or link to externally hosted content’).
  • [T1105 ] Ingress Tool Transfer – Downloading payloads from external WebDAV and Cloudflare Workers domains to victim systems (‘uses rundll32.exe to retrieve the initial RedLoader DLL from a WebDAV server hosted behind a Cloudflare Workers domain’).
  • [T1574.001 ] DLL Search Order Hijacking / DLL Side‑Loading – Sideloading RedLoader DLLs via renamed legitimate ADNotificationManager.exe and other binaries (‘the .iso or .img file… contains a renamed copy of the legitimate ADNotificationManager.exe… Execution of the legitimate file sideloads the initial RedLoader DLL’).
  • [T1053.005 ] Scheduled Task – Creation and use of scheduled tasks to download and execute second- and third-stage payloads (‘the first-stage DLL connects to an external C2 server before creating a scheduled task to download and execute the second-stage payload’).
  • [T1218 ] System Binary Proxy Execution (LOLBin abuse) – Using pcalua.exe, rundll32.exe, conhost.exe and other system binaries to execute payloads (‘use of the Program Compatibility Assistant (pcalua.exe) living-off-the-land binary (LOLBin) for payload execution has remained the same’).
  • [T1543.003 ] Create or Modify Windows Service – Using NSSM to install Chisel as services and to run SOCKS clients (‘created two distinct Windows service entries pointing to the same Chisel binary… Each service was configured as a SOCKS client to attacker-controlled servers’).
  • [T1090 ] Proxy – Tunneling C2 into victim networks via RPivot and Chisel (SOCKS) to reach internal resources (‘deploying RPivot for C2 communications… establishes a connection to remote IP address 109[.]206[.]236[.]209’ and use of Chisel services to attacker servers).
  • [T1036 ] Masquerading – Renaming binaries, drivers, and shortcuts and disguising lures to appear legitimate (‘the fake resume drops a ZIP archive containing a .lnk file disguised as a PDF’ and loaders/drivers were renamed to lmhost.exe/lmhost.sys, wmlib.exe/wmlib.sys, etc.).
  • [T1112 ] Modify Registry – Disabling Windows security controls by changing registry keys to allow vulnerable driver loading and disable HVCI (‘modified the registry to disable two core Windows security mechanisms… VulnerableDriverBlocklistEnable /d 0x0 … HypervisorEnforcedCodeIntegrity /d 0x0’).
  • [T1021.001 ] Remote Services: SMB/Windows Admin Shares – Lateral execution and staging via automated SMB transfers and Impacket remote execution using local admin accounts (‘staged on endpoints across the environment via automated SMB transfers… local admin accounts and Impacket remote execution to run the launcher script’).
  • [T1041 ] Exfiltration Over C2 Channel / Web Service – Compressing and transferring collected system discovery data to attacker-controlled WebDAV/Cloudflare Workers endpoints (‘compresses the results into encrypted, password-protected archives via 7-Zip and transfers the data to an attacker-controlled WebDAV server’).

Indicators of Compromise

  • [Domain ] C2, initial payload hosting and exfiltration – automatinghrservices[.]workers[.]dev, local[.]chronotypelabs[.]workers[.]dev, and 6 more worker/domains observed.
  • [URL ] Initial RedLoader download link used in April 2025 – hxxps://get[.]easyhrservicesm[.]workers[.]dev/id/KEgldoor0327de
  • [IP address ] RPivot / C2 servers and Chisel endpoints – 109[.]206[.]236[.]209, 23[.]254[.]224[.]79, and several other IPs used across incidents.
  • [Filename ] First‑stage and supporting binaries – netutils.dll, srvcli.dll (first-stage RedLoader DLLs), and ADNotificationManager.exe (legitimate binary used for sideloading).
  • [Driver / Binary names ] EDR-killer and BYOVD artifacts – term.sys / term.exe (Terminator), lmhost.sys / lmhost.exe, wmlib.sys / wmlib.exe (renamed drivers/loaders used for kernel loading).
  • [Ransom note / filenames ] QWCrypt artifacts and notes – !!!how_to_unlock_qwCrypt_files.txt (ransom note) and qwc_.exe (QWCrypt binary names).
  • [SHA256 hashes ] Sample binaries (examples) – f5203c7ac07087fd5029d83141982f0a5e78f169cdc4ab9fc097cc0e2981d926 (second-stage RedLoader, July 2025), 568352411deff640ba781ae55d98d657da02191d97e0466e6883b966dd1e77db (QWCrypt, July 2025), and 60 more hashes listed in indicators.
  • [Other hash types ] Additional sample hashes (SHA1/MD5 examples) – 6b53e25bbf07ce657347164026f6bc50680319f5 (SHA1, modified Terminator/April 2025), 3debde1aeae4255e0d40ad410421f175 (MD5, Terminator/April 2025), and many other hash entries.

Read more: https://news.sophos.com/en-us/2025/12/05/sharpening-the-knife-gold-blades-strategic-evolution/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint