GOLD SALEM tradecraft for deploying Warlock ransomware – Sophos Information

In mid-August 2025, Counter Menace Unit™ (CTU) researchers recognized the usage of the professional Velociraptor digital forensics and incident response (DFIR) device in seemingly ransomware precursor exercise. Subsequent investigation and evaluation of occasions in buyer environments led CTU™ researchers to evaluate with excessive confidence that these incidents occurred with intent to deploy Warlock ransomware, which is operated by the GOLD SALEM cybercrime group.

CTU evaluation means that GOLD SALEM started deploying ransomware and extorting victims round March 2025. Nonetheless, it got here to prominence in July 2025 when Microsoft noticed a risk group that had been concerned in Warlock ransomware deployments abuse the chained exploitation of zero-day vulnerabilities (collectively referred to as ToolShell) in on-premises SharePoint cases to realize entry to networks. Microsoft attributed this exercise with reasonable confidence to a China-based risk group it calls Storm-2603, which CTU researchers observe as GOLD SALEM.

Utilizing indicators related to Warlock ransomware exercise, CTU researchers recognized a number of GOLD SALEM intrusions over a four-month interval that resulted within the tried deployment of ransomware (see Desk 1).

Desk 1: GOLD SALEM incidents involving tried ransomware deployment

The usage of widespread techniques, methods and procedures (TTPs) and instruments noticed throughout these incidents additionally allowed CTU researchers to determine 5 further compromises that concerned GOLD SALEM conducting ransomware precursor exercise (see Desk 2).

Desk 2: Incidents involving seemingly Warlock ransomware precursor exercise

Preliminary entry

In a lot of the Warlock incidents CTU researchers recognized, there was inadequate proof to find out the preliminary entry vector (IAV) the attackers used to compromise victims’ environments. In 4 incidents, the risk actors exploited SharePoint vulnerabilities to realize entry. In one of many July intrusions, GOLD SALEM used the ToolShell exploit chain to realize entry after public exploit code was made obtainable on GitHub. Though CTU researchers have been unable to find out the complete particulars of the assault, the sufferer was subsequently listed on the Warlock leak website.

In one of many August intrusions, SharePoint initiated an execution chain that spawned an msiexec course of and resulted within the deployment of Velociraptor (v2.msi) from an attacker-controlled Cloudflare Employees staff[.]dev subdomain (see Determine 1). The identical month, Pattern Micro additionally reported the exploitation of SharePoint by way of this technique in a Warlock ransomware intrusion. Nonetheless, in that case, the attacker didn’t use Velociraptor or a staff[.]dev area.

Determine 1: w3wp.exe SharePoint course of spawning msiexec course of

Persistence and credentials entry

CTU researchers noticed GOLD SALEM creating new administrator accounts for persistence in a number of incidents. Within the first three assaults, the risk actor created and used accounts (backupadmin or admin_gpo) with the identical password (abcd1234):

c:home windowssystem32cmd.exe /c internet consumer backupadmin abcd1234

In one other incident, the risk actor once more used a internet command to create an administrator account within the sufferer’s atmosphere to keep up persistence:

%sysdirpercentnet1 localgroup directors lapsadmin1 /add

A number of minutes later, the attacker ran the next command to determine the LSASS course of quantity. This quantity might be used to acquire the hashed credentials by way of the MiniDump perform of the native Comsvcs.dll Home windows DLL positioned within the %systemrootpercentsystem32 listing.

tasklist /v /fo csv | findstr /i "lsass.exe"

In an earlier incident, CTU researchers recognized a packed model of the Mimikatz credential harvesting device that was seemingly used to conduct related exercise. In August, a device to dump passwords from Veeam was noticed in a single intrusion.

Execution

CTU researchers first noticed Velociraptor used as a precursor to seemingly ransomware deployment in August. Subsequent analysis recognized 5 further incidents involving the device. Whereas Velociraptor is a professional, off-the-shelf device used for digital forensics and incident response, its obtain from attacker-controlled infrastructure signifies malicious use.

In 4 of the incidents, Velociraptor (v2.msi) was downloaded from a bunch within the qaubctgg[.]staff[.]dev area. Within the fifth incident, which occurred in early September, a file named v3.msi was downloaded from a special staff[.]dev area (qgtxtebl[.]staff[.]dev). This file was additionally Velociraptor.

Within the first recognized Velociraptor incident, the device was configured to speak with a server positioned at velo[.]qaubctgg[.]staff[.]dev. The device was then used to execute Visible Studio Code (VS Code) (code.exe) with the tunnel choice enabled. It did this after first downloading the file from the identical staff[.]dev area utilizing an encoded PowerShell command earlier than putting in it as a service and redirecting the output to a log file (see Determine 2).

Determine 2: Course of tree exhibiting Velociraptor making a VS Code tunnel

VS Code was additionally noticed in two of the opposite incidents, one among which occurred as early as Might 2025. In that incident, the filename for the applying was vscode.exe as an alternative of code.exe.

Protection evasion

Throughout 4 incidents, CTU researchers noticed the risk actor use an antivirus (AV) and endpoint detection and response (EDR) agent killer named vmtools.exe or different variations. Pattern Micro’s Warlock report additionally described the usage of a device named vmtools.exe to kill EDR processes.

In three incidents, the attacker imported and used two drivers (rsndspot.sys and kl.sys) alongside vmtools.exe to aim to disable EDR options in a Carry Your Personal Weak Driver (BYOVD) assault. Metadata evaluation of the rsndspot.sys file reveals the driving force’s authentic title as rspot.sys and signifies that it’s digitally signed by a Chinese language firm named Beijing Rising Community Safety Know-how Co Ltd, which makes a speciality of cybersecurity and AV merchandise. In one other incident, kl.sys was used alongside a driver referred to as ServiceMouse.sys and a file named VMTools-Eng.exe to evade detection.

The usage of these drivers in BYOVD assaults shouldn’t be broadly reported. Nonetheless, a September 2024 Sophos report describing Chinese language state-sponsored cyberespionage exercise tracked as Crimson Palace famous rsndspot.sys and kl.sys deployed alongside a keylogging device to disable EDR options. Moreover, a July 2025 Test Level report on early GOLD SALEM exercise described how a device named VMToolsEng.exe used a weak driver named ServiceMouse.sys to disable AV options.

In two of the Warlock incidents, CTU researchers additionally noticed potential DLL side-loading of Java processes by way of the professional Java Launcher Interface file (jli.dll), though it was not potential to verify this exercise from the obtainable knowledge. This professional DLL is included with the Java Runtime Surroundings. Third-party experiences describe its abuse by a number of risk teams in side-loading assaults.

Command and management (C2) infrastructure

GOLD SALEM tried to ascertain C2 communications by way of the deployment of VS Code in tunnel mode. In a single incident, CTU researchers additionally noticed the Cloudflared tunneling device downloaded by way of the identical technique that delivered Velociraptor: the w3wp.exe SharePoint course of spawned msiexec.exe, which downloaded and tried to put in the device (cf.msi on this occasion) from qaubctgg[.]staff[.]dev. It was not clear if this deployment was profitable. Cloudflared is a broadly used device that Sophos researchers additionally noticed within the Crimson Palace espionage marketing campaign.

Device staging

Within the early noticed Warlock intrusions, CTU researchers weren’t capable of set up the tactic by which GOLD SALEM deployed instruments to victims’ environments. Nonetheless, after it started utilizing Velociraptor in August, the group virtually solely relied on staff[.]dev domains to stage instruments for retrieval into compromised environments. On one event, the group additionally downloaded Velociraptor from a Microsoft Azure blob storage URL (hxxps://stoaccinfoniqaveeambkp[.]blob[.]core[.]home windows[.]internet/veeam/v2.msi).

In 5 of the analyzed incidents, the attacker downloaded recordsdata and instruments from varied subdomains of qaubctgg[.]staff[.]dev. This tool-staging server was accessible as an open listing, so CTU researchers have been capable of enumerate the contents. Along with the Velociraptor installer (v2.msi), VS Code software (code.exe) and Cloudflared tunneling device (cf.msi), instruments obtainable for obtain from this location included the MinIO Consumer (Linux and Home windows variations), Radmin Server for distant entry and administration, an OpenSSH installer to create distant SSH classes, and the SecurityCheck utility (sc.msi) (see Desk 3).

Desk 3: Contents of tool-staging server hosted at recordsdata[.]qaubctgg[.]staff[.]dev

In an early September incident, CTU researchers noticed a change. Two recordsdata (v3.msi and ssh.msi) have been downloaded right into a buyer atmosphere from a brand new staff[.]dev area (royal-boat-bf05[.]qgtxtebl[.]staff[.]dev). Evaluation confirmed that v3.msi is one other model of the Velociraptor device and ssh.msi is the OpenSSH installer.

The qgtxtebl[.]staff[.]dev area was inaccessible, so CTU researchers couldn’t analyze its contents. Nonetheless, this area additionally hosted recordsdata named cf.msi and sc.msi, in response to VirusTotal. The presence of those recordsdata at this location strongly means that GOLD SALEM has shifted its tool-staging folder to a brand new area. The certificates for this area signifies that it was created on August 29, 2025, three days after CTU researchers printed a weblog put up on GOLD SALEM’s use of Velociraptor. It’s potential that the group tailored to proceed operations.

Impression

CTU researchers noticed GOLD SALEM use three ransomware variants in these compromises: Warlock, LockBit, and Babuk. The group routinely names its ransomware executables and different malware after the compromised group.

Warlock is probably going based mostly on the code from the leaked LockBit 3.0 builder. Warlock sometimes provides the .x2anylock extension to encrypted recordsdata however has sometimes added the .xlockxlock extension. Ransomware deployment in a single early incident was detected as LockBit, however encrypted recordsdata had the .x2anylock extension and delivered a ransom be aware related to Warlock (see Determine 3). In one other incident, each Warlock and LockBit 3.0 ransomware have been deployed in the identical atmosphere.

Determine 3: Ransom be aware (“tips on how to decrypt my knowledge.log”) that adopted Warlock deployment

Of their Warlock evaluation, Pattern Micro researchers concluded that the noticed variant was based mostly on the leaked LockBit 3.0 code. Pattern Micro and different third events corresponding to Microsoft additionally reported the group deploying LockBit in ransomware intrusions.

GOLD SALEM members have hyperlinks to the LockBit ransomware as a service (RaaS) operated by GOLD MYSTIC. Chat logs leaked from a LockBit panel in Might 2025 revealed particulars of affiliate accounts, which included qTox IDs as contact particulars. An affiliate referred to as ‘wlteaml’, who was the final to register with the LockBit panel earlier than the contents have been leaked, was linked to a qTox ID that CTU researchers noticed within the Warlock ransom be aware. This ID can also be listed on the contacts web page of the Warlock leak website (see Determine 4).

Determine 4: Contact particulars posted on the Warlock leak website

In a single incident, CTU researchers noticed GOLD SALEM utilizing Babuk ransomware to encrypt VMware ESXi servers. Third-parties have reported related observations. Regardless of deploying their typical suite of instruments and techniques on this incident, the risk actors delivered a ransom be aware with a special structure and qTox ID (see Determine 5).

Determine 5: Babuk ransom be aware in an August intrusion

One other Warlock ransomware deployment concerned a special and extra verbose ransom be aware containing yet one more qTox ID (see Determine 6). This be aware was the primary time that the risk actors explicitly referred to themselves as “Warlock Group”.

Determine 6: Ransom be aware containing the ‘Warlock Group’ title

Though the usage of totally different notes is uncommon, the FAQ web page on the Warlock leak website signifies that the listed qTox IDs are for “technical cooperation and enterprise cooperation” and never for “Warlock prospects” requiring decryption help. This distinction means that particulars in ransom notes may be inconsistent, and presumably that operations are carried out by associates utilizing their very own strategies of negotiation. Nonetheless, there isn’t a robust proof that the Warlock scheme is a RaaS operation regardless of third-party experiences suggesting that it’s.

After Warlock deployment, GOLD SALEM lists victims on a devoted leak website hosted on Tor. It lists victims as tiles with company logos or a padlock marked with a “W” (see Determine 7). If the ransom shouldn’t be paid when the countdown timer expires, the risk actors publicly launch the info or declare that it has been offered to a 3rd get together.

Determine 7: Warlock leak website homepage with sufferer names redacted

Victimology

When reviewing the listing of Warlock victims, CTU researchers famous organizations that might be of curiosity to Chinese language state-sponsored teams concerned in intelligence gathering and cyberespionage. This remark raises the likelihood that ransomware deployment might be a canopy or a secondary exercise to lift cash along with stealing knowledge. These organizations embody telecommunication suppliers and nuclear vitality analysis firms in Europe, entities engaged in aerospace or superior technical analysis in Europe and Taiwan, and government-linked organizations in Southeast Asia. One other notable element was the presence of victims based mostly in Russia. Russian-speaking ransomware teams historically ban concentrating on of entities in Russia or the Commonwealth of Unbiased States (CIS), suggesting this group could also be working from a location exterior of the jurisdiction or attain of Russian regulation enforcement.

A comparability of the Warlock victims’ sectors towards leak website knowledge for all different ransomware operations over the identical interval reveals some variations. Organizations within the info expertise, industrial, and expertise sectors account for 64% of all Warlock ransomware victims (see Determine 8), whereas these sectors characterize simply over 40% of the entire ransomware victims (see Determine 9).

Determine 8: Impacted sectors in Warlock ransomware assaults from June by way of August 2025

Determine 9. Sectors impacted throughout assaults by all ransomware teams from June by way of August 2025

The distinction might point out that GOLD SALEM focuses on sure organizations, or it’d imply that the group’s preliminary entry methodology is extra viable in sure sectors because of the widespread safety frameworks deployed. It’s subsequently potential that GOLD SALEM’s entry is opportunistic, like most ransomware teams. Whereas it’s viable that random organizations are compromised as a smokescreen for cyberespionage operations, the comparatively excessive charge of sufferer naming implies that opportunistic cybercrime exercise would eat a big proportion of the group’s exercise.

Attribution

CTU researchers assess with excessive confidence the noticed incidents have been supposed to deploy Warlock ransomware. Nonetheless, it’s much less clear the place the risk actors are based mostly or if a single group is accountable for all assaults. CTU evaluation signifies that GOLD SALEM is a financially motivated cybercriminal group, and there’s no proof to recommend authorities route or an curiosity in espionage.

A GOLD SALEM put up to the RAMP underground discussion board in June 2025 sought cooperation from preliminary entry brokers (IABs) in offering potential victims. It’s unclear if the group was searching for entry to hold out its personal intrusions, recruiting associates for a nascent RaaS operation, or each. Equally, the content material on the Warlock web site suggests its operators are searching for “enterprise collaboration” however doesn’t present particular particulars. As of this publication, CTU researchers consider GOLD SALEM runs Warlock as a personal ransomware operation with out utilizing exterior associates to conduct assaults.

Based mostly on the next evidentiary factors, CTU assess with low confidence that GOLD SALEM is a minimum of partially composed of Chinese language people:

• The usage of TTPs widespread amongst cybercriminal and state-sponsored Chinese language risk teams, corresponding to the usage of Cloudflare Employees and misuse of drivers from Chinese language safety firms Baidu Antivirus and Beijing Rising
• Demonstrated willingness to assault each Russian and Taiwanese entities
• Early exploitation of SharePoint vulnerabilities that overlaps with related exercise Microsoft noticed from state-sponsored Chinese language risk teams Violet Hurricane (BRONZE VINEWOOD) and Linen Hurricane (BRONZE UNION)

China has had a burgeoning cybercriminal ecosystem that has more and more proven ambitions exterior mainland China all through the 2020s. There’s precedent for an overlap between ostensibly extortion-motivated ransomware campaigns and conventional cyberespionage, as demonstrated by China-based BRONZE STARLIGHT risk group’s use of LockBit and different ransomware households.

Conclusion

GOLD SALEM, or its associates, have displayed above-average technical potential of their Warlock ransomware operations. Exploiting a zero-day for entry and repurposing the professional Velociraptor device, which has not been beforehand reported, show innovation. Regardless of some obvious give attention to particular organizations that might be of curiosity to Chinese language state-sponsored cyberespionage teams, the Warlock victimology reveals that any group might turn into a sufferer of GOLD SALEM’s ransomware operations.

Organizations ought to consider whether or not exposing a SharePoint server to the web is critical and may be certain that internet-facing servers are appropriately patched. Broad and complete deployment of AV and EDR options have been efficient at detecting this risk group’s exercise at an early stage of their assaults.

Detections and risk indicators

The next Sophos protections detect exercise associated to this risk:

• ATK/DonutLdr-B
• Troj/KillAV-MF
• AMSI/VeeamPas-A
• Evade_40a
• Troj/Loader-GX
• Mal/EncPk-HM
• Impact_4c
• Access_3b
• Mal/DwnLd-F

The risk indicators in Desk 4 can be utilized to detect exercise associated to this risk. The domains and URL might include malicious content material, so contemplate the dangers earlier than opening them in a browser.

Desk 4: Indicators for this risk