Hackers Utilize GOLD SALEM to Infiltrate Networks and Evade Security Measures, Deploying Warlock Ransomware
A new ransomware group known as GOLD SALEM, also referred to as the Warlock Group, has been active since March 2025. The group made its public debut through underground forums in June 2025, seeking exploits for enterprise applications and tools to disable endpoint detection and response systems.
GOLD SALEM has demonstrated advanced evasion capabilities through Bring Your Own Vulnerable Driver (BYOVD) techniques. They leverage a combination of critical vulnerabilities, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. One of the vulnerabilities, CVE-2024-51324, is exploited using a renamed vulnerable Baidu Antivirus driver (googleApiUtil64.sys) to terminate arbitrary processes, specifically targeting EDR agents.
Upon successful exploitation, GOLD SALEM deploys an ASPX web shell, enabling remote command execution with output visibility. This web shell is used for command execution, and a particular technique observed involves downloading a Golang-based WebSockets server for persistent access.
Sophos analysts have identified the group's sophisticated operational security measures. GOLD SALEM operates through a double-extortion model, utilizing a Tor-based data leak site to publish stolen victim data. The data leak site features a professional presentation and victim categorization.
GOLD SALEM targets a diverse range of victims, from small commercial entities to large multinational corporations. They have targeted 60 organizations across North America, Europe, and South America. Notably, they avoided targets in China and Russia, but a Russian electricity generation services company was listed on their data leak site in September 2025.
Microsoft tracks this group as Storm-2603 and suggests they operate from China, but attribution remains inconclusive. GOLD SALEM recruits initial access brokers, indicating either direct intrusion capabilities or the development of a ransomware-as-a-service model.
The group maintains countdown timers for each victim, typically allowing 12-14 days for ransom payment before data publication. As of September 2025, they claim to have sold data from 45% of their victims to private buyers, though these figures may be inflated for psychological impact.
GOLD SALEM's toolkit includes Mimikatz for credential extraction, PsExec and Impacket for lateral movement, and Group Policy Object abuse for ransomware deployment across network endpoints. The group employs the ToolShell exploit chain targeting SharePoint servers for initial network compromise.
As with any ransomware attack, the best defence is a strong offence. Regularly updating software, using robust security measures, and educating employees about the risks of phishing and other social engineering tactics can help protect against GOLD SALEM and other ransomware threats.
Read also:
- MRI Scans in Epilepsy Diagnosis: Function and Revealed Findings
- Hematology specialist and anemia treatment: The role of a hematologist in managing anemia conditions
- Enhancing the framework or setup for efficient operation and growth
- Hydroelectric Power Generation Industry Forecasted to Expand to USD 413.3 Billion by 2034, Projected Growth Rate of 5.8% Compound Annual Growth Rate (CAGR)
