The Reveal Platform
Intel Name: Gold blade remote dll sideloading attack deploys redloader
Date of Scan: August 4, 2025
Impact: High
Summary: We are analyzing a newly identified infection chain linked to the GOLD BLADE cybercriminal group and their custom RedLoader malware, which establishes command and control (C2) communications. In this campaign, the attackers use a LNK file to remotely execute and sideload a legitimate executable, which in turn loads the stage 1 RedLoader payload hosted on GOLD BLADE infrastructure. While the group has previously used these techniques separately—remote DLL execution via WebDAV was seen in September 2024, and sideloading a renamed ADNotificationManager.exe was noted in March 2025—the combination of both methods, observed in July 2025, marks a novel approach to initial execution that has not been publicly documented before.
