Full Report
The emerging group demonstrates competent tradecraft using a familiar ransomware playbook and hints of ingenuity
Analysis Summary
# Threat Actor: GOLD SALEM (Warlock Group)
## Attribution & Identity
- **Primary Identity:** Threat group that refers to itself as **Warlock Group**.
- **Tracking ID:** Tracked by Sophos CTU as **GOLD SALEM**.
- **Alias:** Microsoft refers to them as **Storm-2603**.
- **Attribution:** Microsoft characterizes them "with moderate confidence to be a China-based threat actor," but Sophos CTU researchers lack sufficient evidence to corroborate this.
## Activity Summary
- **Operation Name:** Warlock operation.
- **Activity Period:** Compromising networks and deploying Warlock ransomware since **March 2025**.
- **Scope:** Published 60 victims through mid-September 2025, placing them in the middle tier compared to other ransomware operations during that period.
- **Online Presence:** Operates a **Tor-based Dedicated Leak Site (DLS)** to publish victim names and stolen data. As of Sept 16, data from 32% of listed victims was published, and they claimed to have sold data from 45% of victims to private buyers.
- **Precursor Activity (June 2025):** Posted on an underground forum soliciting exploits for common enterprise applications (Veeam, ESXi, SharePoint) and tools to disable endpoint detection and response (EDR) systems and security products. They also sought cooperation from Initial Access Brokers (IABs).
- **Overlap:** GOLD SALEM has posted names of victims previously breached by other operations (e.g., GOLD CRESCENT's Hunters International, Payout Kings), suggesting they may be leveraging access sold by third parties or targeting environments with poor remediation.
## Tactics, Techniques & Procedures
- **Ransomware Deployment:** Deploying **Warlock ransomware**.
- **Initial Access/Reconnaissance:** Soliciting exploits for enterprise applications (Veeam, ESXi, SharePoint) and tools to kill EDR/security products via underground forums.
- **Business Model:** Potentially operating as a nascent Ransomware-as-a-Service (RaaS) operation or utilizing IABs for access.
- **Data Exfiltration/Extortion:** Publishing data on a DLS and claiming to sell data to private buyers post-extortion attempts.
## Targeting
- **Sectors:** Ranged from small commercial or government entities to large multinational corporations.
- **Geography:** Spread throughout **North America, Europe, and South America**.
- **Victims:** Avoids organizations in China and Russia, though one Russian engineering entity in the electricity generation industry was listed on the DLS (suggesting the group may operate outside Russia).
- **Specific Examples:** A U.S.-based commercial construction contractor was listed.
## Tools & Infrastructure
- **Malware Families Used:** **Warlock ransomware**.
- **Infrastructure:** Exclusively uses a **Tor-based Dedicated Leak Site (DLS)** for publishing information.
## Implications
GOLD SALEM/Warlock Group represents an established, competent ransomware threat utilizing a familiar playbook within a crowded landscape. Their early activity indicates an active effort to secure initial access methods (exploits, EDR bypass tools) and recruit access brokers, pointing toward an organized and evolving operation. The listing of a Russian victim suggests they may be financially motivated actors operating outside traditional jurisdictions that protect domestic entities.
## Mitigations
- **Vulnerability Management:** Patching and securing common enterprise applications targeted, specifically noted are **SharePoint, Veeam, and ESXi**.
- **EDR Protection:** Ensuring endpoint detection and response (EDR) and other security products are robustly defended against disabling mechanisms.
- **Initial Access Broker Monitoring:** If using third-party access, organizations should focus on hardening perimeter defenses that IABs commonly target.