Warlock operation joins busy ransomware landscape
Sept. 17, 2025, 6:25 p.m.
Description
GOLD SALEM, also known as Warlock Group, has emerged as a significant player in the ransomware landscape since March 2025. The group has compromised networks across North America, Europe, and South America, targeting a range of organizations from small entities to large corporations. GOLD SALEM operates a Tor-based dedicated leak site, publishing victim data and claiming to sell information to private buyers. The group's tactics include exploiting SharePoint vulnerabilities, using web shells for initial access, and employing tools like Mimikatz for credential theft. They have also been observed bypassing EDR systems and using legitimate tools for malicious purposes. The group's activities suggest a level of competence in their operations, with potential links to China-based actors, although this attribution remains unconfirmed.
Tags
Date
- Created: Sept. 17, 2025, 5:43 p.m.
- Published: Sept. 17, 2025, 5:43 p.m.
- Modified: Sept. 17, 2025, 6:25 p.m.
Indicators
- 996c7bcec3c12c3462220fc2c19d61ccc039005ef5e7c8fabc0b34631a31abb1
- a204a48496b54bcb7ae171ad435997b92eb746b5718f166b3515736ee34a65b4
Attack Patterns
Additional Informations
- Commercial
- Construction
- Energy
- Government
- United States of America
- Russian Federation