Warlock operation joins busy ransomware landscape
Essential information
- Published
- 17/09/2025 17:43
- Modified
- 17/09/2025 18:25
- Tags
- 2025-09-17 CVE-2024-51324 CVE-2025-49704 CVE-2025-49706 CVE-2025-53770 CVE-2025-53771 credential-theft dedicated leak site edr bypass lateral movement ransomware sharepoint exploitation warlock warlock group
- Related entities
- 5 vulnerabilities (cve), 2 observables, 1 intrusion sets (apt), 7 techniques (mitre), 1 malware, 6 others
Description
GOLD SALEM, also known as Warlock Group, has emerged as a significant player in the ransomware landscape since March 2025. The group has compromised networks across North America, Europe, and South America, targeting a range of organizations from small entities to large corporations. GOLD SALEM operates a Tor-based dedicated leak site, publishing victim data and claiming to sell information to private buyers. The group's tactics include exploiting SharePoint vulnerabilities, using web shells for initial access, and employing tools like Mimikatz for credential theft. They have also been observed bypassing EDR systems and using legitimate tools for malicious purposes. The group's activities suggest a level of competence in their operations, with potential links to China-based actors, although this attribution remains unconfirmed.