GOLD BLADE

GOLD BLADE is a financially motivated cybercriminal group, also known as RedCurl, Red Wolf, and Earth Kapre, that has conducted commercial espionage since 2018. GOLD BLADE are noted for using well-crafted and targeted phishing emails to attack victims. From late 2024 through early 2025, CTU researchers observed GOLD BLADE targeting human resources personnel with malicious documents purporting to be resumes or curriculum vitae from job applicants.

GOLD BLADE uses legitimately signed executables published by Adobe to side-load malicious payloads like RedLoader. RedLoader begins an infection chain that transmits information about the infected host to a remote C2 host and executes PowerShell scripts that gather information about the compromised Active Directory (AD) environment.