GOLD BLADE

GOLD BLADE is a financially motivated cybercriminal group, also known as RedCurl, Red Wolf, and Earth Kapre, that has conducted commercial espionage in tailored intrusions on behalf of clients under a “hack-for-hire” model since 2018. In mid-2025, Sophos analysts observed the group starting to deploy custom ransomware, named QWCrypt, in some network compromises, suggesting that the threat actors may be independently monetizing intrusions in addition to conducting espionage for clients. The group's operations follow a rhythm of dormancy followed by sudden bursts of activity in highly focused geographic campaigns, with each wave introducing newly developed or adapted tradecraft.
GOLD BLADE was originally noted for using well-crafted and targeted phishing emails to target human resources personnel with malicious documents purporting to be resumes or curriculum vitae from job applicants. Through mid-2025, Sophos analysts noted a shift in tradecraft to the abuse of recruitment platforms to deliver weaponized resumes.
GOLD BLADE uses legitimately signed executables published by Adobe to side-load a custom malware called RedLoader. RedLoader begins an infection chain that transmits information about the infected host to a remote command and control (C2) host and executes PowerShell scripts that gather information about the compromised Active Directory (AD) environment. The group has also implemented a Bring Your Own Vulnerable Driver (BYOVD) chain involving renamed Zemana drivers and modified versions of the Terminator endpoint detection and response (EDR) killer tool to evade detection.