Recruitment Ruse: How GOLD BLADE Turned Job Portals into Ransomware Launchpads
A notorious cyber gang weaponizes online hiring platforms to breach Canadian firms with custom malware and ransomware.
When landing your next dream job, you probably don’t expect the resume you download to unleash a cyber extortion plot. But for dozens of Canadian companies, that’s exactly what happened - thanks to the cunning tactics of the GOLD BLADE cybercrime syndicate.
The New Face of “Job Offer” Attacks
GOLD BLADE, a group once notorious for corporate espionage, has reinvented itself as a hybrid cybercriminal operation. Rather than relying on classic phishing emails, the group now exploits a surprising weak link: human resources departments. By uploading maliciously crafted PDF resumes to legitimate recruitment sites, the attackers bypass traditional email security and prey on the trust HR staff place in these platforms.
Viewing one of these resumes triggers a redirect to a convincing “Safe Resume Share Service” - actually a trap that delivers RedLoader malware. This marks the start of a three-stage attack: initial infection, deployment of secondary payloads, and finally, installation of GOLD BLADE’s custom QWCrypt ransomware.
Technical Sleight of Hand
The group’s technical prowess is evident in its evolving tactics. Early attacks used .lnk and .iso files; by 2025, the campaign leveraged remote DLL sideloading hosted on Cloudflare Workers domains, evading many security tools. To maintain stealth, GOLD BLADE abused legitimate Windows utilities ("living-off-the-land" binaries) and scheduled tasks mimicking browser updates.
Perhaps most alarming is the group’s use of the BYOVD (Bring Your Own Vulnerable Driver) technique. By deploying modified anti-malware drivers and custom “Terminator” utilities, they systematically disabled advanced endpoint protections, clearing the path for data theft and ransomware activation.
Ransomware and the Art of Extortion
After exfiltrating confidential data, GOLD BLADE unleashed its QWCrypt locker - a proprietary ransomware that encrypts files and appends a unique .qwCrypt extension. Ransom notes, styled after notorious gangs like LockBit, demanded payment for decryption keys. While many attacks were thwarted by modern defenses like Sophos CryptoGuard, vulnerable endpoints remained at risk.
This campaign underscores an uncomfortable truth: even trusted business platforms can be weaponized, and cybercriminals are quick to exploit overlooked vulnerabilities.
