RedLoader Malware Deployed via LNK Files on Windows Systems by Threat Actors

Security analysts at Sophos are warning of a new infection chain devised by the financially motivated GOLD BLADE cybercriminal group, known for its expertise in targeted phishing attacks on organizations since 2018.

Also tracked as RedCurl, Red Wolf, or Earth Kapre, GOLD BLADE has been observed leveraging a creative combination of attack techniques in July 2025 to deploy their custom malware, RedLoader, onto Windows systems by exploiting Windows shortcut (LNK) files.

Sideloaded Malware

The attack sequence begins with GOLD BLADE operators sending a convincingly crafted cover letter PDF via reputable job portals such as Indeed, targeting human resources personnel.

Embedded within these PDFs is a malicious link that, when clicked, downloads a ZIP archive onto the victim’s system. This archive contains a Windows LNK file that cleverly masquerades as a legitimate PDF document.

Upon being opened, the LNK file silently executes conhost.exe, which is utilized to reach out to a remote CloudFlare Workers domain controlled by the attackers via WebDAV a method for accessing files over the web.

Hosted on this infrastructure is a digitally signed but renamed copy of Adobe’s ADNotificationManager.exe, disguised as a resume (CV-APP-2012-68907872.exe). This executable is strategically placed alongside a malicious DLL file called netutils.dll.

Employing the classic DLL sideloading tactic, the benign-looking executable loads the netutils.dll payload, effectively launching the first stage of the RedLoader infection.

This highly targeted method merges previously documented techniques remote DLL execution through WebDAV and the sideloading of signed Adobe binaries but the July 2025 combination had not been publicly reported prior to Sophos’ findings.

Multi-Stage Payload Delivers C2 Communications

With the initial infection established, RedLoader’s stage one component creates a scheduled task named ‘BrowserQE\BrowserQE_<Base64-encoded computer name>’, designed to ensure persistence on the victim’s system.

This task is responsible for downloading a second-stage payload, a standalone executable from another attacker-controlled domain.

The second-stage executable, uniquely named per victim but exhibiting a consistent SHA256 hash across cases, is executed with the help of Windows processes PCALua.exe and conhost.exe.

Once running, this next stage establishes contact with command-and-control (C2) infrastructure to exfiltrate data and receive attacker instructions.

The infection flow’s shift to delivering a standalone executable for stage two diverges from observed activity in late 2024, indicating the group’s adaptive and evolving tactics.

According to the report, The emergence of this attack demonstrates the continued evolution of initial access techniques by cybercriminal groups like GOLD BLADE, highlighting how previously effective security controls may be circumvented by modifications in the attack chain.

To counter this threat, organizations are advised to implement Group Policy Objects restricting the execution of LNK files from directories commonly abused by malware, such as Downloads and AppData folders.

Additionally, endpoint security solutions including specific Sophos protections are being updated to identify and block the malicious artifacts and behaviors associated with this campaign.

Detection signatures focus on key elements such as the abuse of signed executables for DLL sideloading, suspicious child process creation by conhost.exe, and the static signatures of RedLoader payloads.

Key Indicators of Compromise

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates