216.73.217.22

GOLD SALEM tradecraft for deploying Warlock ransomware

· Published 11/12/2025 12:06 · Modified 21/12/2025 18:59

Export JSON

Essential information

Published
11/12/2025 12:06
Modified
21/12/2025 18:59
Tags
2025-12-11 cybercrime lockbit ransomware velociraptor warlock
Related entities
13 observables, 1 intrusion sets (apt), 16 techniques (mitre), 4 malware, 10 others

Description

This analysis examines the evolving tactics of the GOLD SALEM group in deploying over a six-month period across 11 incidents. The group exploited SharePoint vulnerabilities for initial access and utilized tools like , VMTools AV killer, and Cloudflared for various attack stages. They targeted multiple sectors, with a focus on IT, industrial, and technology. The group used , , and Babuk variants, often naming executables after victim organizations. Evidence suggests possible Chinese origins, though the group appears primarily financially motivated. GOLD SALEM demonstrated advanced technical abilities, including zero-day exploitation and repurposing of legitimate tools.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (13)

  • ea8c8f834523886b07d87e85e24f124391d69a738814a0f7c31132b6b712ed65
  • a3b061300d6aee6f8c6e08c68b80a18a8d4500b66d0d179b962fd96f41dc2889
  • 00714292822d568018bb92270daecdf243a2ca232189677d27e38d632bfd68be
  • 2695e26637dbf8c2aa46af702c891a5a154e9a145948ce504db0ea6a2d50e734
  • c8a8c7e21136a099665c2fad9accb41152d129466b719ea71678bab665e03389
  • 85844ae7394f2cf907b6378b415e77f7e29069c7e791598cf0985adf4f53320e
  • 34b2a6c334813adb2cc70f5bd666c4afbdc4a6d8a58cc1c7a902b13bbd2381f4
  • 5a56319605f60380b52aecba1f1ee6026c807d55026b806a3b6585d5ba5931bd
  • 66a01192355a1ee15a0ceafacbf3bf83148813f67ba24bdfc5423e4fcb4e744f
  • ea4a453be116071ab1ccbd24eb8755bf0579649f41a7b94ab9e68571bb9f4a1e
  • 649bdaa38e60ede6d140bd54ca5412f1091186a803d3905465219053393f6421
  • c70fafe5f9a3e5a9ee7de584dd024cb552443659f06348398d3873aa88fd6682
  • 67687b54f9cfee0b551c6847be7ed625e170d8bb882f888e3d0b22312db146cd

Intrusion sets (APT) (1)

  • GOLD SALEM
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 16:13 · Modified 21/12/2025 16:13

Techniques (MITRE) (16)

  • T1003
    OS Credential Dumping
  • T1078
    Valid Accounts
  • T1489
    Service Stop
  • T1036
    Masquerading
  • T1055
    Process Injection
  • T1573
    Encrypted Channel
  • T1490
    Inhibit System Recovery
  • T1486
    Data Encrypted for Impact
  • T1027
    Obfuscated Files or Information
  • T1569
    System Services
  • T1190
    Exploit Public-Facing Application
  • T1574.002
  • T1133
    External Remote Services
  • T1071
    Application Layer Protocol
  • T1140
    Deobfuscate/Decode Files or Information
  • T1567
    Exfiltration Over Web Service

Malware (4)

  • Babuk - S0638
    Family
    Published 20/03/2026 08:24 · Modified 20/03/2026 08:24
  • LockBit
    Family
    Published 06/05/2026 10:26 · Modified 06/05/2026 10:26
  • Vasa Locker
    Family
    Published 20/03/2026 08:24 · Modified 20/03/2026 08:24
  • Warlock
    Family
    Published 10/02/2026 16:59 · Modified 10/02/2026 16:59

Others (10)

  • Taiwan
  • Russian Federation
  • Energy
  • Manufacturing
  • Transport
  • Telecommunications
  • Government and administrations
  • Defense
  • Technologies
  • Air transport

External references