Ddos 
Researchers from the Sophos Counter Threat Unit (CTU) have published new intelligence on a rising ransomware group known as GOLD SALEM, also referred to as the Warlock Group. Active since March 2025, the group has steadily built a reputation for aggressive intrusions and advanced evasion tactics, placing it firmly in the middle tier of global ransomware operations.
Microsoft, which tracks the same group as Storm-2603, has suggested with moderate confidence that it may be China-based, though Sophos notes it has “insufficient evidence to corroborate this attribution.”
By mid-September 2025, GOLD SALEM had published the names of 60 victims across North America, Europe, and South America. These range from small commercial and government entities to large multinational corporations. Interestingly, the group broke an unspoken ransomware rule: “the group posted the name of a Russia-based victim to its dedicated leak site (DLS) on September 8.”
Typically, ransomware gangs avoid targeting Russia or its allies to evade local law enforcement. This suggests GOLD SALEM may be operating outside of traditional Russian jurisdiction.
The group uses a Tor-based leak site, where it publishes victim names, ransom countdowns, and, in some cases, stolen data. Sophos notes: “As of September 16, data from 19 of 60 listed victims (32%) was published on the DLS. Additionally, the threat actors claim to have sold data from 27 (45%) of the victims to private buyers, potentially in response to ransom nonpayment.”
In late July, Sophos observed GOLD SALEM exploiting SharePoint servers using a chain of vulnerabilities — CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. The attack involved dropping an ASPX web shell that executed arbitrary commands through the IIS worker process (w3wp.exe). One observed payload was:
Sophos explains that this downloaded a Golang-based WebSockets server that gave attackers persistent access outside of the web shell.
GOLD SALEM also used Bring Your Own Vulnerable Driver (BYOVD) to bypass endpoint security. Specifically, they leveraged a Baidu Antivirus driver (renamed googleApiUtil64.sys) vulnerable to CVE-2024-51324, which allowed them to terminate EDR agents.
Microsoft also reported that GOLD SALEM executed Mimikatz against LSASS to extract plaintext credentials, used PsExec and Impacket for lateral movement, and deployed the Warlock ransomware payload through Group Policy Objects (GPO).
In another campaign observed in August, GOLD SALEM abused the legitimate Velociraptor DFIR tool to establish a Visual Studio Code network tunnel for remote persistence, with some intrusions ending in Warlock ransomware detonation.
With its mix of sophisticated exploit chains, EDR evasion techniques, and use of legitimate tools for persistence, GOLD SALEM highlights the evolving playbook of modern ransomware groups.
Sophos concludes with a warning to enterprises: “Organizations should implement regular attack surface monitoring and have aggressive patching policies for internet-facing services. Detection and mitigation of zero-day exploitation require proactive endpoint monitoring and timely incident response.”
Related Posts:
- Bitcoin Gold Hacked: Lose $18 Million
- CISA Flags Two Actively Exploited Vulnerabilities: Critical Threats to Windows and WhatsUp Gold
- Critical Vulnerabilities in Progress WhatsUp Gold Demand Immediate Action
- Critical Flaws Exploited: Cisco, Windows, Hitachi, WhatsUp Gold at Risk
- WhatsUp Gold Under Attack: New RCE Vulnerabilities Exploited
Donate