RedLoader
RedLoader is a custom malware used by the financially motivated GOLD BLADE threat group, also tracked as RedCurl, Red Wolf, and Earth Kapre. It is deployed via DLL side-loading using legitimately signed Adobe executables, including renamed ADNotificationManager.exe, and has been observed in phishing and recruitment-themed intrusion chains. Reported delivery methods include malicious documents disguised as resumes or cover letters, ZIP archives containing LNK files masquerading as PDFs, execution through conhost.exe, and WebDAV-hosted payload retrieval from Cloudflare Workers infrastructure.
RedLoader begins an infection chain by transmitting information about the infected host to a remote command-and-control server and executing PowerShell scripts to gather information about the compromised Active Directory environment. In July 2025 activity documented by Sophos, a stage 1 DLL named netutils.dll was remotely side-loaded, created a scheduled task named BrowserQE\BrowserQE_<Base64-encoded computer name>, downloaded a standalone stage 2 executable from attacker infrastructure, and executed it via PCALua.exe and conhost.exe. The stage 2 payload communicated with C2 and used victim-specific filenames such as BrowserQE_<Base64-encoded computer name>.exe.
The malware has been associated with commercial espionage operations and later hybrid intrusions that also included ransomware deployment by the same actor. Targeting linked to the broader GOLD BLADE/STAC6565 activity has included organizations in Canada, the U.S., Australia, and the U.K., with sectors including services, manufacturing, retail, technology, NGOs, and transportation. High-confidence indicators mentioned in the reporting include the domains automatinghrservices[.]workers[.]dev, quiet[.]msftlivecloudsrv[.]workers[.]dev, and live[.]airemoteplant[.]workers[.]dev; the filename netutils.dll; SHA256 hashes d302836c7df9ce8ac68a06b53263e2c685971781a48ce56b3b5a579c5bba10cc and f5203c7ac07087fd5029d83141982f0a5e78f169cdc4ab9fc097cc0e2981d926; and SHA1 hash 369acb06aac9492df4d174dbd31ebfb1e6e0c5f3.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Sophos analysts are investigating a new infection chain for the GOLD BLADE cybercriminal group’s custom RedLoader malware, which initiates command and control (C2) communications.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThe attack starts with a threat actor sending a well-crafted cover letter PDF to a target via a third-party job site such as ‘indeed.com’. A malicious link in the PDF downloads a ZIP archive to the victim’s system.
Execution
3 techniquesRedLoader stage 1 creates a scheduled task named ‘BrowserQE\BrowserQE _<Base64-encoded computer name> ’ on the victim’s system and downloads a standalone executable for stage 2... The scheduled task uses PCALua.exe and conhost.exe to execute RedLoader stage 2
The LNK file executes conhost.exe... The scheduled task uses PCALua.exe and conhost.exe to execute RedLoader stage 2
RedLoader begins an infection chain that transmits information about the infected host to a remote command and control (C2) host and executes PowerShell scripts that gather information about the compromised Active Directory (AD) environment.
Persistence
2 techniquesRedLoader stage 1 creates a scheduled task named ‘BrowserQE\BrowserQE _<Base64-encoded computer name> ’ on the victim’s system and downloads a standalone executable for stage 2... The scheduled task uses PCALua.exe and conhost.exe to execute RedLoader stage 2
Privilege Escalation
2 techniquesRedLoader stage 1 creates a scheduled task named ‘BrowserQE\BrowserQE _<Base64-encoded computer name> ’ on the victim’s system and downloads a standalone executable for stage 2... The scheduled task uses PCALua.exe and conhost.exe to execute RedLoader stage 2
Discovery
1 techniqueexecutes PowerShell scripts that gather information about the compromised Active Directory (AD) environment.
Collection
1 techniqueA malicious link in the PDF downloads a ZIP archive to the victim’s system. The archive contains a LNK file that masquerades as a PDF.
Command and Control
2 techniquesSophos analysts are investigating a new infection chain for the GOLD BLADE cybercriminal group’s custom RedLoader malware, which initiates command and control (C2) communications... RedLoader stage 2 communicates with its C2 server.
This executable leverages WebDAV to contact a CloudFlare domain... A renamed signed version of the Adobe ADNotificationManager.exe executable masquerades as a resume and is remotely hosted on the attacker-controlled server... This file resides in the same directory as the RedLoader stage 1 DLL file (netutils.dll). | RedLoader stage 1 creates a scheduled task... and downloads a standalone executable for stage 2 from ‘live[.]airemoteplant[.]workers[.]dev’.
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom loader used by GOLD BLADE/RedCurl that is side-loaded via legitimately signed Adobe executables, communicates with C2, and launches PowerShell-based reconnaissance against the victim environment, including Active Directory discovery.
Custom malware used by GOLD BLADE as a multi-stage loader. It is delivered via a malicious LNK file that remotely executes and sideloads a benign executable to load the stage 1 DLL, establishes persistence via a scheduled task, downloads a standalone stage 2 executable, and then initiates C2 communications.
A custom loader used by RedCurl/Gold Blade to collect system and Active Directory information, send it to C2, and deliver additional payloads, including ransomware.
Malware loader delivered via DLL side-loading, used to execute additional payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.