GOLD BLADE remote DLL sideloading attack deploys RedLoader

SUMMARY :

A new infection chain for GOLD BLADE's RedLoader malware has been identified, combining previously separate techniques. The attack begins with a malicious PDF link, leading to a ZIP archive containing a LNK file masquerading as a PDF. This file executes conhost.exe, which uses WebDAV to contact a CloudFlare domain and remotely sideload a malicious DLL. The infection progresses through two stages of RedLoader, ultimately establishing command and control communication. This updated method, observed in July 2025, demonstrates the threat actors' ability to adapt and bypass defenses by combining known techniques in novel ways.

OPENCTI LABELS :

dll sideloading,webdav,redloader


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


GOLD BLADE remote DLL sideloading attack deploys RedLoader