.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
GOLD BLADE isn't a ransomware group focused on just stealing data. They blend espionage with ransomware and abuse trusted platforms like Indeed and LinkedIn to target HR teams directly.
Join host Susie Evershed and Sophos Threat Intelligence Analyst, Morgan Demboski as they take you inside the operations of one of the most quietly sophisticated threat groups we’ve tracked to date.
Whether you're part of a security team, lead threat detection, or just want to understand today’s hybrid attacker landscape, this session will show how the Ransomware group GOLD BLADE works and how to defend against it.
Video Summary: GOLD BLADE – Evolving Tactics of a Cyber Espionage Group
00:06 Introduction
Welcome to our Cyber Shorts series with Sophos, a LinkedIn Live series focused on trending cybersecurity topics, threat research, and insights into the evolving threat landscape.
00:15 Meet the speakers
I’m Susie Evershed, joined by Morgan Dembowski, Threat Intelligence Analyst at Sophos.
Today’s discussion is based on Morgan’s latest research into the threat group GOLD BLADE.
00:44 Overview of GOLD BLADE
GOLD BLADE, also known as RedCurl, Red Wolf, or Earth Capra, has been active since at least 2018.
The group primarily conducts commercial cyber espionage, targeting organizations to steal sensitive business data for financial or competitive advantage.
01:31 Campaign focus on Canada
In a recent campaign spanning February 2024 to August 2025, GOLD BLADE heavily targeted Canadian organizations.
Over 80% of observed intrusions were focused on Canada, marking a notable shift in their typical global targeting patterns.
02:35 Evolving tactics and delivery methods
GOLD BLADE continues to use its custom malware, RedLoader, but has evolved how it delivers it.
The group shifted from traditional phishing emails to abusing trusted recruitment platforms like LinkedIn, Indeed, and JazzHR, increasing success rates and evading detection.
03:46 Abuse of recruitment platforms
By impersonating job applicants and submitting malicious résumés through legitimate platforms, GOLD BLADE exploits trusted workflows.
This tactic bypasses email-based defenses and increases the likelihood that HR personnel will open malicious files.
05:03 What makes GOLD BLADE unique
GOLD BLADE stands out as a financially motivated group conducting espionage-like operations without clear ties to a nation-state.
They avoid typical cybercriminal behaviors such as public extortion or leak sites and are believed to operate as a “hack-for-hire” group serving external clients.
06:41 Attack patterns and activity cycles
The group operates in waves, with bursts of activity followed by periods of silence.
These quiet periods likely allow them to refine tactics and develop new attack methods before launching updated campaigns.
07:54 Continuous evolution of techniques
GOLD BLADE frequently updates its malware delivery methods, hosting mechanisms, and execution techniques to evade detection.
They also deploy customized tools, including modified EDR killers, to disable security defenses.
09:21 Introduction of QWCrypt ransomware
The group introduced a custom ransomware, QWCrypt, in 2025, though its use appears selective.
It may serve as a secondary monetization method if data theft efforts do not yield desired results.
10:59 Ransomware characteristics
QWCrypt is relatively unsophisticated but tailored to specific victims, with customized deployment scripts and targeting strategies.
Its ransom notes reuse language from established groups like LockBit, suggesting reuse of proven tactics rather than direct affiliation.
12:36 Security recommendations
Organizations should ensure endpoints are centrally managed with strong EDR protections and comprehensive logging.
Active monitoring by skilled analysts is critical for detecting and responding to threats before impact.
13:48 Protecting recruitment workflows
As attackers increasingly target HR processes, organizations should harden recruitment workflows.
Best practices include training staff to recognize suspicious résumés, avoiding external downloads, and using secure document viewers or sandboxing tools.
14:49 Organization-wide awareness
Cybersecurity is a shared responsibility across the organization.
HR teams and recruiters should be treated as a frontline defense and regularly updated on evolving threats.
15:39 Closing
Thank you for joining this Cyber Shorts episode.
Stay tuned for more insights, and follow our blog and social channels for the latest cybersecurity research.