Full Report
Updates include novel abuse of recruitment platforms, modified infection chains, and expansion into a hybrid operation that combines data theft and ransomware deploymentCategories: Threat ResearchTags: Canada, featured, GOLD BLADE, QWCrypt, recruitment platforms, RedLoader, STAC6565
Analysis Summary
# Threat Actor: GOLD BLADE
## Attribution & Identity
The threat actor is identified as **GOLD BLADE**. The context suggests an association with other threat groups based on the naming convention (e.g., GOLD FEATHER, GOLD SALEM), though direct attribution beyond the name is not detailed, nor are there specific known aliases mentioned other than the primary name.
## Activity Summary
GOLD BLADE has shown strategic evolution, incorporating several new methods in recent operations:
1. Novel abuse of recruitment platforms for initial access or delivery.
2. Use of modified infection chains.
3. Expansion into a hybrid operation that combines data theft followed by the deployment of ransomware.
## Tactics, Techniques & Procedures
- Initial compromise involves the novel abuse of **recruitment platforms**.
- Infection chains have been observed to be **modified**.
- The operation is generally hybrid, focusing on **data theft** prior to **ransomware deployment**.
- Use of the **RedLoader** initial access tool/loader (implied by tag).
- Use of custom or specific malware components associated with the group, such as **QWCrypt**.
(Note: No specific MITRE ATT&CK IDs were provided in the text snippet.)
## Targeting
- Sectors: Not explicitly detailed, but the use of recruitment platforms suggests targeting Human Resources or job-seeking personnel within organizations.
- Geography: **Canada** (indicated by tag).
- Victims: No specific victim names were mentioned in the provided context.
## Tools & Infrastructure
- Malware Families Used:
- **QWCrypt**
- **RedLoader** (implied)
- Infrastructure (C2 Indications from April/March 2025):
- IP Address: `109[.]206[.]236[.]209` (Used for RPivot C2)
- URL: `hxxp://194[.]113[.]245[.]238:8810` (RPivot C2 server)
- URL: `hxxp://stars[.]medbury[.]com:18810` (Chisel C2 server)
- URL: `hxxp://162[.]33[.]178[.]61:18810` (Chisel C2 server)
- Notable Artifacts (March 2025):
- SHA1 Hash: `9fda15cdac5f73c0f56497b0b32706180871f3be` (RPivot binary)
- MD5 Hash: `bbe856330766da83686750b4eb6767bd` (RPivot binary)
- SHA256 Hash: `9ce8c43d7d8ddab18fde6ca3c0f23efb5491d460bffc8c0ea5fc2f61a6e7b8e4` (RPivot binary)
## Implications
GOLD BLADE is demonstrating strategic evolution by blending initial access techniques (social engineering via recruitment platforms) with sophisticated payloads (ransomware and data theft capabilities). Their shift to hybrid operations indicates a higher-value target profile, seeking both disruption and exfiltration revenue.
## Mitigations
- Enhance security controls specifically targeting social engineering vectors, particularly those leveraging job opportunities or recruitment documentation.
- Implement rigorous application control and sandboxing for any files downloaded from untrusted or non-standard sources, including initial phishing/lure documents.
- Monitor for the presence and execution of known malware like QWCrypt and RedLoader.
- Monitor egress traffic for beaconing to identified C2 infrastructure patterns (e.g., dedicated ports like 8810 and 18810). (Specific host-based or network-based mitigations would require further analysis of the reported TTPs).