Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actor

RedLoader

RedLoader is a custom malware used by the financially motivated GOLD BLADE threat group, also tracked as RedCurl, Red Wolf, and Earth Kapre. It is deployed via DLL side-loading using legitimately signed Adobe executables, including renamed ADNotificationManager.exe, and has been observed in infection chains delivered through job-themed lures. In the July 2025 chain documented by Sophos, a cover-letter PDF sent via third-party job platforms such as Indeed led victims to a ZIP archive containing a malicious LNK file disguised as a PDF. The LNK launched conhost.exe, used WebDAV to retrieve a remotely hosted renamed Adobe executable from automatinghrservices[.]workers[.]dev, and sideloaded a malicious DLL named netutils.dll as RedLoader stage 1. Stage 1 created a scheduled task named BrowserQE\BrowserQE_<Base64-encoded computer name>, downloaded a standalone stage 2 executable from live[.]airemoteplant[.]workers[.]dev, and executed it via PCALua.exe and conhost.exe. RedLoader transmits information about the infected host to remote command-and-control infrastructure, communicates with its C2 server, and executes PowerShell scripts to gather information about the compromised Active Directory environment. Reported infrastructure and indicators include automatinghrservices[.]workers[.]dev, quiet[.]msftlivecloudsrv[.]workers[.]dev, live[.]airemoteplant[.]workers[.]dev, stage 1 filename netutils.dll, stage 1 SHA256 d302836c7df9ce8ac68a06b53263e2c685971781a48ce56b3b5a579c5bba10cc, and stage 2 SHA256 f5203c7ac07087fd5029d83141982f0a5e78f169cdc4ab9fc097cc0e2981d926.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
RedCurl

Sophos analysts are investigating a new infection chain for the GOLD BLADE cybercriminal group’s custom RedLoader malware, which initiates command and control (C2) communications.

via sophos threat researchnews.sophos.com
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence1

A malicious link in the PDF downloads a ZIP archive to the victim’s system. The archive contains a LNK file that masquerades as a PDF.

T1566.002Spearphishing LinkEvidence2

The attack starts with a threat actor sending a well-crafted cover letter PDF to a target via a third-party job site such as ‘indeed.com’. A malicious link in the PDF downloads a ZIP archive to the victim’s system.

Execution

3 techniques
T1053.005Scheduled TaskEvidence2

RedLoader stage 1 creates a scheduled task named ‘BrowserQE\BrowserQE _<Base64-encoded computer name> ’ on the victim’s system and downloads a standalone executable for stage 2.

T1059Command and Scripting InterpreterEvidence1

The LNK file executes conhost.exe... The scheduled task uses PCALua.exe and conhost.exe to execute RedLoader stage 2

T1059.001PowerShellEvidence1

RedLoader begins an infection chain that transmits information about the infected host to a remote command and control (C2) host and executes PowerShell scripts that gather information about the compromised Active Directory (AD) environment.

Persistence

2 techniques
T1053.005Scheduled TaskEvidence2

RedLoader stage 1 creates a scheduled task named ‘BrowserQE\BrowserQE _<Base64-encoded computer name> ’ on the victim’s system and downloads a standalone executable for stage 2.

T1547.009Shortcut ModificationEvidence2

The archive contains a LNK file that masquerades as a PDF. The LNK file executes conhost.exe.

Privilege Escalation

2 techniques
T1053.005Scheduled TaskEvidence2

RedLoader stage 1 creates a scheduled task named ‘BrowserQE\BrowserQE _<Base64-encoded computer name> ’ on the victim’s system and downloads a standalone executable for stage 2.

T1547.009Shortcut ModificationEvidence2

The archive contains a LNK file that masquerades as a PDF. The LNK file executes conhost.exe.

Stealth

1 technique
T1036MasqueradingEvidence1

The archive contains a LNK file that masquerades as a PDF... A renamed signed version of the Adobe ADNotificationManager.exe executable masquerades as a resume...

Discovery

1 technique
T1018Remote System DiscoveryEvidence1

executes PowerShell scripts that gather information about the compromised Active Directory (AD) environment.

Lateral Movement

1 technique
T1021.005VNCEvidence1

This executable leverages WebDAV to contact a CloudFlare domain... A renamed signed version of the Adobe ADNotificationManager.exe executable... is remotely hosted on the attacker-controlled server.

Collection

1 technique
T1560Archive Collected DataEvidence1

A malicious link in the PDF downloads a ZIP archive to the victim’s system. The archive contains a LNK file that masquerades as a PDF.

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence1

Sophos analysts are investigating a new infection chain for the GOLD BLADE cybercriminal group’s custom RedLoader malware, which initiates command and control (C2) communications... RedLoader stage 2 communicates with its C2 server.

T1071.001Web ProtocolsEvidence1

Sophos analysts are investigating a new infection chain for the GOLD BLADE cybercriminal group’s custom RedLoader malware, which initiates command and control (C2) communications... RedLoader stage 2 communicates with its C2 server.

T1105Ingress Tool TransferEvidence2

RedLoader stage 1 creates a scheduled task... and downloads a standalone executable for stage 2 from ‘live[.]airemoteplant[.]workers[.]dev’.

INDICATORS OF COMPROMISE

IOCs tracked for this family

7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
4 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app6 months ago
domain●●●●●●●●●●●●View more in app6 months ago
hash.sha1●●●●●●●●●●●●View more in app6 months ago
domain●●●●●●●●●●●●View more in app6 months ago
domain●●●●●●●●●●●●View more in app6 months ago
hash.sha256●●●●●●●●●●●●View more in app6 months ago
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
sophos otherNews
Jan 1, 2026
GOLD BLADE | Threat Profile Detail | Sophos

A custom loader used by GOLD BLADE/RedCurl that is side-loaded via legitimately signed Adobe executables, communicates with C2, and launches PowerShell-based reconnaissance against the victim environment, including Active Directory discovery.

Read more
sophos threat researchNews
Jan 1, 2026
GOLD BLADE remote DLL sideloading attack deploys RedLoader | SOPHOS

Custom malware used by GOLD BLADE as a multi-stage loader. It is delivered via a malicious LNK file that remotely executes and sideloads a benign executable to load the stage 1 DLL, establishes persistence via a scheduled task, downloads a standalone stage 2 executable, and then initiates C2 communications.

Read more
sophos threat researchNews
Jan 1, 2026
GOLD BLADE remote DLL sideloading attack deploys RedLoader | SOPHOS

Custom malware used by GOLD BLADE as part of an infection chain. It is delivered via a malicious LNK file, uses remote DLL sideloading with a renamed benign executable, establishes persistence through a scheduled task, downloads a stage 2 executable, and then communicates with its C2 server.

Read more
the hacker newsNews
Dec 9, 2025
STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware

A custom loader used by RedCurl/Gold Blade to collect system and Active Directory information, send it to C2, and deliver additional payloads, including ransomware.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching7

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.