GOLD BLADE remote DLL sideloading attack deploys RedLoader
Essential information
- Published
- 31/07/2025 15:01
- Modified
- 31/07/2025 15:23
- Tags
- 2025-07-31 dll sideloading redloader webdav
- Related entities
- 5 observables, 1 intrusion sets (apt), 5 techniques (mitre), 1 malware
Description
A new infection chain for GOLD BLADE's RedLoader malware has been identified, combining previously separate techniques. The attack begins with a malicious PDF link, leading to a ZIP archive containing a LNK file masquerading as a PDF. This file executes conhost.exe, which uses WebDAV to contact a CloudFlare domain and remotely sideload a malicious DLL. The infection progresses through two stages of RedLoader, ultimately establishing command and control communication. This updated method, observed in July 2025, demonstrates the threat actors' ability to adapt and bypass defenses by combining known techniques in novel ways.