Gold Salem's Warlock Operation Joins Busy Ransomware Landscape
Summary:
The threat actor GOLD SALEM, also known as Warlock Group and by Microsoft as Storm-2603, has been deploying its custom Warlock ransomware against enterprise networks since March 2025. The group, which may be based in China based on Microsoft intelligence, has compromised a wide range of targets, from small businesses to multinational corporations and government agencies across North America, Europe, and South America. Sophos researchers were unable to confirm any geographic attribution. The threat group has avoided targeting Chinese and Russian entities until recently, with a Russian victim appearing on their leak site in September 2025, which may suggest the group operates outside these jurisdictions. The group is in the mid-range of ransomware operations, having listed 60 victims on its dedicated leak site by mid-September. Of these victims, only a third have had their stolen data published, while nearly half were reportedly sold to private buyers. GOLD SALEM uses a Tor-hosted leak site that batches victim listings and includes a ransom countdown to pressure victims. The group has also used its leak site to post victims compromised by other ransomware operations, and the number of victims may be inflated.
GOLD SALEM employs sophisticated techniques to bypass security measures and deploy its ransomware. They have exploited Microsoft SharePoint TOOLSHELL and Veeam vulnerabilities to deploy a web shell, allowing for the download of a custom Golang-based WebSockets server for persistent remote access. To bypass EDR systems, the group renames a vulnerable Baidu Antivirus driver, enabling it to terminate security agents. Post-compromise activities include stealing credentials, moving laterally within networks using readily available tools like PsExec and Impacket, and deploying the Warlock payload through Group Policy Objects. The group also repurposes legitimate tools for malicious purposes, such as using the Velociraptor DFIR tool to create network tunnels.
Security Officer Comments:
GOLD SALEM's adaptable and sophisticated tactics, from exploiting known vulnerabilities to repurposing legitimate tools, highlight the seemingly experienced nature of this newly emerged threat group. The group's success in bypassing EDR and achieving a mid-range victim count within a short period is notable. Its potential geographic ties to China and the recent shift to not avoid targeting Russia suggest a dynamic strategy to their operations. The high percentage of stolen data reportedly sold to private buyers, rather than publicly leaked, indicates an apparent focus on monetizing data through private transactions, possibly to avoid the limelight or maximize profit. This group doesn’t purport to be a RaaS operation, and it's unclear whether these attacks are direct or through affiliates. However, conducting RaaS operations with affiliates would be the next logical step for this financially motivated group.
Suggested Corrections:
IOCs are available here.
Organizations should implement regular attack surface monitoring and have aggressive patching policies for internet-facing services. Detection and mitigation of zero-day exploitation require proactive endpoint monitoring and timely incident response.
The following Sophos protections detect activity related to this threat:
Link(s):
https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-joins-busy-ransomware-landscape/
The threat actor GOLD SALEM, also known as Warlock Group and by Microsoft as Storm-2603, has been deploying its custom Warlock ransomware against enterprise networks since March 2025. The group, which may be based in China based on Microsoft intelligence, has compromised a wide range of targets, from small businesses to multinational corporations and government agencies across North America, Europe, and South America. Sophos researchers were unable to confirm any geographic attribution. The threat group has avoided targeting Chinese and Russian entities until recently, with a Russian victim appearing on their leak site in September 2025, which may suggest the group operates outside these jurisdictions. The group is in the mid-range of ransomware operations, having listed 60 victims on its dedicated leak site by mid-September. Of these victims, only a third have had their stolen data published, while nearly half were reportedly sold to private buyers. GOLD SALEM uses a Tor-hosted leak site that batches victim listings and includes a ransom countdown to pressure victims. The group has also used its leak site to post victims compromised by other ransomware operations, and the number of victims may be inflated.
GOLD SALEM employs sophisticated techniques to bypass security measures and deploy its ransomware. They have exploited Microsoft SharePoint TOOLSHELL and Veeam vulnerabilities to deploy a web shell, allowing for the download of a custom Golang-based WebSockets server for persistent remote access. To bypass EDR systems, the group renames a vulnerable Baidu Antivirus driver, enabling it to terminate security agents. Post-compromise activities include stealing credentials, moving laterally within networks using readily available tools like PsExec and Impacket, and deploying the Warlock payload through Group Policy Objects. The group also repurposes legitimate tools for malicious purposes, such as using the Velociraptor DFIR tool to create network tunnels.
Security Officer Comments:
GOLD SALEM's adaptable and sophisticated tactics, from exploiting known vulnerabilities to repurposing legitimate tools, highlight the seemingly experienced nature of this newly emerged threat group. The group's success in bypassing EDR and achieving a mid-range victim count within a short period is notable. Its potential geographic ties to China and the recent shift to not avoid targeting Russia suggest a dynamic strategy to their operations. The high percentage of stolen data reportedly sold to private buyers, rather than publicly leaked, indicates an apparent focus on monetizing data through private transactions, possibly to avoid the limelight or maximize profit. This group doesn’t purport to be a RaaS operation, and it's unclear whether these attacks are direct or through affiliates. However, conducting RaaS operations with affiliates would be the next logical step for this financially motivated group.
Suggested Corrections:
IOCs are available here.
Organizations should implement regular attack surface monitoring and have aggressive patching policies for internet-facing services. Detection and mitigation of zero-day exploitation require proactive endpoint monitoring and timely incident response.
The following Sophos protections detect activity related to this threat:
- Troj/WebShel-F
- Troj/Warlock-B
Link(s):
https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-joins-busy-ransomware-landscape/