GOLD SALEM

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to intrusion sets

· Published 21/12/2025 16:13 · Modified 21/12/2025 16:13 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 21/12/2025 16:13
Modified: 21/12/2025 16:13
Updated at: 21/12/2025 16:13
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 2 reports, 25 attack patterns (mitre), 4 malware, 10 sectors, 3 countries, 15 indicators, 5 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (2)

GOLD SALEM tradecraft for deploying Warlock ransomware

16 MITREs 4 Malwares 13 Observables 1 APT
Warlock operation joins busy ransomware landscape

5 CVEs 7 MITREs 1 Malware 2 Observables 1 APT

Attack patterns (MITRE) (25)

T1490 uses

Inhibit System Recovery MITRE
T1190 uses

Exploit Public-Facing Application MITRE
T1021.002 uses

SMB/Windows Admin Shares MITRE
T1105 uses

Ingress Tool Transfer MITRE
T1059.003 uses

Windows Command Shell MITRE
T1574.002 uses

MITRE
T1574.008 uses

Path Interception by Search Order Hijacking MITRE
T1003.001 uses

LSASS Memory MITRE
T1055 uses

Process Injection MITRE
T1570 uses

Lateral Tool Transfer MITRE
T1489 uses

Service Stop MITRE
T1036 uses

Masquerading MITRE

← Previous

Page / 3

1–12 of 25

Babyk uses

Family
Babuk - S0638 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Warlock uses

Family
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

Sectors (10)

Defense targets
Transportation targets
Technology targets
Manufacturing targets
Government targets
Aerospace targets
Energy targets
Telecommunications targets
Retail targets
Construction targets

Countries (3)

Taiwan targets
United States of America targets
Russian Federation targets

Indicators (15)

00714292822d568018bb92270daecdf243a2ca232189677d27e38d632bfd68be indicates

stix 100/100

· Valid until 07/12/2026 · Source: AlienVault
5a56319605f60380b52aecba1f1ee6026c807d55026b806a3b6585d5ba5931bd indicates

stix 100/100

· Valid until 07/12/2026 · Source: AlienVault
34b2a6c334813adb2cc70f5bd666c4afbdc4a6d8a58cc1c7a902b13bbd2381f4 indicates

stix 100/100

· Valid until 07/12/2026 · Source: AlienVault

← Previous

Page / 2

13–15 of 15

Vulnerabilities (CVE) (5)

CVE-2025-53771 targets

6.5 Medium

Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …

Attack vector: NETWORK
Published: 21/07/2025
Modified: 21/12/2025

Received

CVE-2025-49706 KEV targets

6.5 Medium

Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2025-49704 KEV targets

8.8 High

Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2024-51324 targets

3.8 Low

An issue in the BdApiUtil driver of Baidu Antivirus v5.2.3.116083 allows attackers to terminate arbitrary process via executing a BYOVD (Bring Your …

Attack vector: NETWORK
Published: 11/02/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-53770 KEV targets

9.8 Critical

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …

Attack vector: Network
Published: 20/07/2025
Modified: 21/12/2025

Analyzed

Contact About Legal notice Privacy policy Terms of use