GOLD SALEM used SharePoint exploits (including the ToolShell zero-day chain) and attacker-hosted Cloudflare Workers subdomains to stage tools and gain access to networks, later deploying Velociraptor as a precursor to ransomware activity. These intrusions led to Warlock, LockBit, and Babuk encryptions, with tool-staging domains such as files[.]qaubctgg[.]workers[.]dev and C2 infrastructure like velo[.]qaubctgg[.]workers[.]dev observed in the activity. #Warlock #GOLDSALEM
Keypoints
- GOLD SALEM began deploying and extorting victims with Warlock ransomware around March 2025 and rose to prominence after ToolShell SharePoint exploits were observed in July 2025.
- Multiple intrusions across sectors (agriculture, government, energy, industrial, retail, automotive, translation) used SharePoint-based initial access in several incidents and had insufficient IAV evidence in others.
- Velociraptor (v2.msi/v3.msi) was downloaded from attacker-controlled workers[.]dev domains and configured to install as a service and spawn VS Code tunnels for C2 and remote access.
- GOLD SALEM staged a broad toolset on files[.]qaubctgg[.]workers[.]dev (Velociraptor, VS Code, Cloudflared, Radmin, OpenSSH, MinIO client, SecurityCheck) to support lateral movement and remote access.
- Persistence and credential access included creating local admin accounts (net user backupadmin/admin_gpo), LSASS enumeration and dumping, and use of credential harvesters (packed Mimikatz, Veeam password dumper).
- Defense-evasion tactics included vmtools.exe AV/EDR killers, use of vulnerable/signed drivers (rsndspot.sys, kl.sys, ServiceMouse.sys) in BYOVD attacks, and possible Java DLL side-loading via jli.dll.
- Ransomware impact included Warlock (likely based on leaked LockBit 3.0 code, using .x2anylock/.xlockxlock), LockBit 3.0, and Babuk, with victims listed on a Tor-hosted Warlock leak site and varied ransom-note contact details (qTox IDs).
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application â SharePoint vulnerabilities and the ToolShell zero-day chain were exploited for initial access (âexploited SharePoint vulnerabilitiesâ / âchained exploitation of zero-day vulnerabilities (ToolShell)â).
- [T1105 ] Ingress Tool Transfer â Tools and installers were downloaded into victim environments from attacker-controlled workers[.]dev domains and Azure blob storage (âdownloaded from a host in the qaubctgg[.]workers[.]dev domainâ / âhxxps://âŚblob[.]core[.]windows[.]net/veeam/v2.msiâ).
- [T1059.001 ] PowerShell â Encoded PowerShell commands were used to download and execute installers prior to installing Velociraptor as a service (âdownloading the file from the same workers[.]dev domain using an encoded PowerShell commandâ).
- [T1543.003 ] Create or Modify System Process: Windows Service â Velociraptor was installed and configured to run as a service on compromised hosts (âinstalling it as a serviceâ).
- [T1136.001 ] Create Account: Local Account â Attackers created local administrator accounts for persistence using net commands (ânet user backupadmin abcd1234â).
- [T1003.001 ] OS Credential Dumping: LSASS Memory â The actors enumerated LSASS and used MiniDump via Comsvcs.dll to obtain credentials from memory (âidentify the LSASS process numberâŚobtain the hashed credentials via the MiniDump function of the native Comsvcs.dllâ).
- [T1562.001 ] Impair Defenses: Disable or Modify Tools â vmtools.exe and vulnerable drivers (rsndspot.sys, kl.sys, ServiceMouse.sys) were used to disable AV/EDR solutions in BYOVD-style attacks (âuse an antivirus (AV) and endpoint detection and response (EDR) agent killer named vmtools.exeâ / âimported and used two drivers (rsndspot.sys and kl.sys)âŚin a BYOVD attackâ).
- [T1574.001 ] Hijack Execution Flow: DLL Side-Loading â Possible DLL side-loading was observed against Java processes using the legitimate Java Launcher Interface jli.dll (âpossible DLL side-loading of Java processes via the legitimate Java Launcher Interface file (jli.dll)â).
- [T1090 ] Proxy and Tunneling (C2) â VS Code tunnel mode and the Cloudflared tunneling tool were used to establish C2 and remote tunnels into victim environments (âexecute Visual Studio Code (VS Code) (code.exe) with the tunnel option enabledâ / âCloudflared tunneling tool downloadedâ).
- [T1486 ] Data Encrypted for Impact â Ransomware families (Warlock, LockBit, Babuk) were used to encrypt files and append extensions such as .x2anylock/.xlockxlock as part of impact and extortion (âWarlock typically adds the .x2anylock extension to encrypted filesâ).
Indicators of Compromise
- [Domain ] Staging and C2 infrastructure â files[.]qaubctgg[.]workers[.]dev, velo[.]qaubctgg[.]workers[.]dev, royal-boat-bf05[.]qgtxtebl[.]workers[.]dev
- [Filename ] Ransom notes and staged installers â How to decrypt my data.log, How to decrypt my data.txt, v2.msi (Velociraptor installer), v3.msi
- [URL ] Tool storage URL used for Velociraptor â hxxps://stoaccinfoniqaveeambkp[.]blob[.]core[.]windows[.]net/veeam (used to store Velociraptor v2.msi)
- [MD5 hash ] AV/EDR killer and Velociraptor samples â 6147d367ae66158ec3ef5b251c2995c4 (vmtools.exe MD5), 6795c530e941ee7e4b0ee0458362c95d (v2.msi MD5)
- [SHA256 hash ] Staged tool SHA256 examples â 649bdaa38e60ede6d140bd54ca5412f1091186a803d3905465219053393f6421 (Velociraptor v2.msi SHA256), 2695e26637dbf8c2aa46af702c891a5a154e9a145948ce504db0ea6a2d50e734 (cf.msi Cloudflared SHA256) and ~30 other hashes
Read more: https://news.sophos.com/en-us/2025/12/11/gold-salem-tradecraft-for-deploying-warlock-ransomware/