Sharpening the Knife: Gold Blade's Strategic Evolution
Summary:
The GOLD BLADE threat group has undergone a significant strategic evolution, shifting from a primary focus on cyberespionage to operating as a hybrid operation that successfully blends data theft with selective ransomware deployment. This highly professionalized organization, also known as RedCurl or Earth Kapre, continues to refine its intrusion methods, most notably by moving away from traditional phishing emails to abusing third-party recruitment platforms like Indeed and JazzHR. This tactical shift allows them to deliver weaponized resumes directly through trusted applicant-tracking systems, effectively evading email-based security protections and capitalizing on recruiter trust. Their activity, tracked in the STAC6565 campaign, is characterized by a distinct rhythm of dormancy followed by sudden, intense bursts, with each wave introducing updated tradecraft. Geographically, their targeting has narrowed considerably, focusing overwhelmingly on Canadian organizations (nearly 80% of attacks), though they cast a wide net across various sectors, including Services, Manufacturing, and Retail.
Security Officer Comments:
This adaptability is evident in the continuous modification of their RedLoader infection chain, which has tested different payload formats and execution mechanisms, including using WebDAV via Cloudflare Workers for stealthy initial delivery. Once inside the network, GOLD BLADE demonstrates sophisticated defense evasion techniques. They employ a Bring Your Own Vulnerable Driver approach using a customized version of the Terminator EDR killer tool and a legitimately signed but vulnerable Zemana driver to disable extended detection and response solutions. They further ensure operational success by modifying core Windows registry keys to disable security features like the Vulnerable Driver Blocklist and Hypervisor-Enforced Code Integrity. Finally, in select intrusions, they deploy the custom QWCrypt ransomware. This deployment is manual and highly tailored, often occurring days after initial data exfiltration, suggesting the threat actors may be independently monetizing breaches in addition to conducting espionage for clients a strong indicator of their growing financial motivation and independence from a pure "hack-for-hire" model.
Suggested Corrections:
Many attacks can be prevented by training employees to recognize phishing attempts and potentially malicious resumes, and advising them to never bypass errors by downloading resumes from external links. It is also good practice to maintain backups of critical business data offline or in an isolated environment to limit the impact of an attack and facilitate recovery. Additionally, the following technical approaches can be effective against known GOLD BLADE tactics:
Link(s):
https://news.sophos.com/en-us/2025/12/05/sharpening-the-knife-gold-blades-strategic-evolution/
The GOLD BLADE threat group has undergone a significant strategic evolution, shifting from a primary focus on cyberespionage to operating as a hybrid operation that successfully blends data theft with selective ransomware deployment. This highly professionalized organization, also known as RedCurl or Earth Kapre, continues to refine its intrusion methods, most notably by moving away from traditional phishing emails to abusing third-party recruitment platforms like Indeed and JazzHR. This tactical shift allows them to deliver weaponized resumes directly through trusted applicant-tracking systems, effectively evading email-based security protections and capitalizing on recruiter trust. Their activity, tracked in the STAC6565 campaign, is characterized by a distinct rhythm of dormancy followed by sudden, intense bursts, with each wave introducing updated tradecraft. Geographically, their targeting has narrowed considerably, focusing overwhelmingly on Canadian organizations (nearly 80% of attacks), though they cast a wide net across various sectors, including Services, Manufacturing, and Retail.
Security Officer Comments:
This adaptability is evident in the continuous modification of their RedLoader infection chain, which has tested different payload formats and execution mechanisms, including using WebDAV via Cloudflare Workers for stealthy initial delivery. Once inside the network, GOLD BLADE demonstrates sophisticated defense evasion techniques. They employ a Bring Your Own Vulnerable Driver approach using a customized version of the Terminator EDR killer tool and a legitimately signed but vulnerable Zemana driver to disable extended detection and response solutions. They further ensure operational success by modifying core Windows registry keys to disable security features like the Vulnerable Driver Blocklist and Hypervisor-Enforced Code Integrity. Finally, in select intrusions, they deploy the custom QWCrypt ransomware. This deployment is manual and highly tailored, often occurring days after initial data exfiltration, suggesting the threat actors may be independently monetizing breaches in addition to conducting espionage for clients a strong indicator of their growing financial motivation and independence from a pure "hack-for-hire" model.
Suggested Corrections:
Many attacks can be prevented by training employees to recognize phishing attempts and potentially malicious resumes, and advising them to never bypass errors by downloading resumes from external links. It is also good practice to maintain backups of critical business data offline or in an isolated environment to limit the impact of an attack and facilitate recovery. Additionally, the following technical approaches can be effective against known GOLD BLADE tactics:
- Harden recruitment workflows – Consider routing attachments from recruitment platforms through email and security gateways for inspection before HR review, or automatically quarantining resumes containing embedded links, macros, or redirects. Organizations can also use secure document viewers that open resumes in a sandboxed browser or PDF-only viewer.
- Prioritize endpoint coverage and monitoring – Ensure that every endpoint (server or workstation) is centrally managed and kept up to date with protections. Comprehensive logging should be a baseline requirement for modern environments to provide visibility of impacted data, which is important not only for remediation but also for responding to regulatory and legal obligations.
- Implement a managed detection and response (MDR) solution – While having detection and blocking tools in place is critical, detection without action is less effective. Skilled analysts must be actively monitoring, investigating, and responding to alerts to ensure full coverage.
Link(s):
https://news.sophos.com/en-us/2025/12/05/sharpening-the-knife-gold-blades-strategic-evolution/