{
  "name": "Warlock operation joins busy ransomware landscape",
  "slug": "warlock-operation-joins-busy-ransomware-landscape",
  "description": "GOLD SALEM, also known as Warlock Group, has emerged as a significant player in the ransomware landscape since March 2025. The group has compromised networks across North America, Europe, and South America, targeting a range of organizations from small entities to large corporations. GOLD SALEM operates a Tor-based dedicated leak site, publishing victim data and claiming to sell information to private buyers. The group's tactics include exploiting SharePoint vulnerabilities, using web shells for initial access, and employing tools like Mimikatz for credential theft. They have also been observed bypassing EDR systems and using legitimate tools for malicious purposes. The group's activities suggest a level of competence in their operations, with potential links to China-based actors, although this attribution remains unconfirmed.",
  "published": "2025-09-17T15:43:11+00:00",
  "created_at": "2025-09-17T15:43:11+00:00",
  "modified_at": "2025-09-17T16:25:47+00:00",
  "created_at_opencti": "2025-09-17T15:43:11+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-09-17",
    "CVE-2024-51324",
    "CVE-2025-49704",
    "CVE-2025-49706",
    "CVE-2025-53770",
    "CVE-2025-53771",
    "credential-theft",
    "dedicated leak site",
    "edr bypass",
    "lateral movement",
    "ransomware",
    "sharepoint exploitation",
    "warlock",
    "warlock group"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "996c7bcec3c12c3462220fc2c19d61ccc039005ef5e7c8fabc0b34631a31abb1"
      },
      {
        "id": "",
        "name": "a204a48496b54bcb7ae171ad435997b92eb746b5718f166b3515736ee34a65b4"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:842afdeebd66b34b",
        "name": "Warlock",
        "slug": "warlock"
      }
    ],
    "intrusion_sets": [
      {
        "id": "dc7775de-916b-4b48-8ef2-d05aecf2b180",
        "name": "GOLD SALEM",
        "slug": "gold-salem"
      }
    ],
    "attack_patterns": [
      {
        "id": "5d2af906-6187-4702-ab9f-590fbe5b1ca3",
        "name": "T1021.002"
      },
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-53771"
      },
      {
        "id": "",
        "name": "CVE-2025-53770"
      },
      {
        "id": "",
        "name": "CVE-2025-49706"
      },
      {
        "id": "",
        "name": "CVE-2025-49704"
      },
      {
        "id": "",
        "name": "CVE-2024-51324"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Russian Federation"
      },
      {
        "id": "",
        "name": "Commercial"
      },
      {
        "id": "",
        "name": "Construction"
      },
      {
        "id": "",
        "name": "Energy"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-joins-busy-ransomware-landscape",
    "https://otx.alienvault.com/pulse/68caf32f9257e8264fc9c0b3"
  ]
}