The Reveal Platform
Intel Name: Gold blade remote dll sideloading attack deploys redloader
Date of Scan: July 31, 2025
Impact: Medium
Summary: Analysts are examining a new infection chain linked to the GOLD BLADE cybercriminal group’s custom RedLoader malware, which establishes command and control (C2) communications. The attackers use a LNK file to remotely execute and sideload a benign executable, which then loads the stage 1 RedLoader payload hosted on GOLD BLADE infrastructure. While these techniques were previously used separately—WebDAV-based remote DLL execution in September 2024 and sideloading a renamed ADNotificationManager.exe in March 2025—the combined use observed in July 2025 marks a novel initial execution method not previously disclosed publicly.
