GOLD SALEM tradecraft for deploying Warlock ransomware

In mid-August 2025, Counter Threat Unit™ (CTU) researchers identified the use of the legitimate Velociraptor digital forensics and incident response (DFIR) tool in likely ransomware precursor activity. Subsequent investigation and analysis of events in customer environments led CTU™ researchers to assess with high confidence that these incidents occurred with intent to deploy Warlock ransomware, which is operated by the GOLD SALEM cybercrime group.

CTU analysis suggests that GOLD SALEM began deploying ransomware and extorting victims around March 2025. However, it came to prominence in July 2025 when Microsoft observed a threat group that had been involved in Warlock ransomware deployments abuse the chained exploitation of zero-day vulnerabilities (collectively known as ToolShell) in on-premises SharePoint instances to gain access to networks. Microsoft attributed this activity with moderate confidence to a China-based threat group it calls Storm-2603, which CTU researchers track as GOLD SALEM.

Using indicators associated with Warlock ransomware activity, CTU researchers identified multiple GOLD SALEM intrusions over a four-month period that resulted in the attempted deployment of ransomware (see Table 1).

Table 1: GOLD SALEM incidents involving attempted ransomware deployment

The use of common tactics, techniques and procedures (TTPs) and tools observed across these incidents also allowed CTU researchers to identify five additional compromises that involved GOLD SALEM conducting ransomware precursor activity (see Table 2).

Table 2: Incidents involving likely Warlock ransomware precursor activity

Initial access

In most of the Warlock incidents CTU researchers identified, there was insufficient evidence to determine the initial access vector (IAV) the attackers used to compromise victims’ environments. In four incidents, the threat actors exploited SharePoint vulnerabilities to gain access. In one of the July intrusions, GOLD SALEM used the ToolShell exploit chain to gain access after public exploit code was made available on GitHub. Although CTU researchers were unable to determine the full details of the attack, the victim was subsequently listed on the Warlock leak site.

In one of the August intrusions, SharePoint initiated an execution chain that spawned an msiexec process and resulted in the deployment of Velociraptor (v2.msi) from an attacker-controlled Cloudflare Workers workers[.]dev subdomain (see Figure 1). The same month, Trend Micro also reported the exploitation of SharePoint via this method in a Warlock ransomware intrusion. However, in that case, the attacker did not use Velociraptor or a workers[.]dev domain.

Persistence and credentials access

CTU researchers observed GOLD SALEM creating new administrator accounts for persistence in multiple incidents. In the first three attacks, the threat actor created and used accounts (backupadmin or admin_gpo) with the same password (abcd1234):

c:\\windows\\system32\\cmd.exe /c net user backupadmin abcd1234

In another incident, the threat actor again used a net command to create an administrator account in the victim’s environment to maintain persistence:

%sysdir%\net1 localgroup administrators lapsadmin1 /add

Several minutes later, the attacker ran the following command to identify the LSASS process number. This number can be used to obtain the hashed credentials via the MiniDump function of the native Comsvcs.dll Windows DLL located in the %systemroot%\system32\ directory.

tasklist /v /fo csv | findstr /i "lsass.exe"

In an earlier incident, CTU researchers identified a packed version of the Mimikatz credential harvesting tool that was likely used to conduct similar activity. In August, a tool to dump passwords from Veeam was observed in a single intrusion.

Execution

CTU researchers first observed Velociraptor used as a precursor to likely ransomware deployment in August. Subsequent research identified five additional incidents involving the tool. While Velociraptor is a legitimate, off-the-shelf tool used for digital forensics and incident response, its download from attacker-controlled infrastructure indicates malicious use.

In four of the incidents, Velociraptor (v2.msi) was downloaded from a host in the qaubctgg[.]workers[.]dev domain. In the fifth incident, which occurred in early September, a file named v3.msi was downloaded from a different workers[.]dev domain (qgtxtebl[.]workers[.]dev). This file was also Velociraptor.

In the first identified Velociraptor incident, the tool was configured to communicate with a server located at velo[.]qaubctgg[.]workers[.]dev. The tool was then used to execute Visual Studio Code (VS Code) (code.exe) with the tunnel option enabled. It did this after first downloading the file from the same workers[.]dev domain using an encoded PowerShell command before installing it as a service and redirecting the output to a log file (see Figure 2).

VS Code was also observed in two of the other incidents, one of which occurred as early as May 2025. In that incident, the filename for the application was vscode.exe instead of code.exe.

Defense evasion

Across four incidents, CTU researchers observed the threat actor use an antivirus (AV) and endpoint detection and response (EDR) agent killer named vmtools.exe or other variations. Trend Micro’s Warlock report also described the use of a tool named vmtools.exe to kill EDR processes.

In three incidents, the attacker imported and used two drivers (rsndispot.sys and kl.sys) alongside vmtools.exe to attempt to disable EDR solutions in a Bring Your Own Vulnerable Driver (BYOVD) attack. Metadata analysis of the rsndispot.sys file shows the driver’s original name as rspot.sys and indicates that it is digitally signed by a Chinese company named Beijing Rising Network Security Technology Co Ltd, which specializes in cybersecurity and AV products. In another incident, kl.sys was used alongside a driver called ServiceMouse.sys and a file named VMTools-Eng.exe to evade detection.

The use of these drivers in BYOVD attacks is not widely reported. However, a September 2024 Sophos report describing Chinese state-sponsored cyberespionage activity tracked as Crimson Palace noted rsndispot.sys and kl.sys deployed alongside a keylogging tool to disable EDR solutions. Additionally, a July 2025 Check Point report on early GOLD SALEM activity described how a tool named VMToolsEng.exe used a vulnerable driver named ServiceMouse.sys to disable AV solutions.

In two of the Warlock incidents, CTU researchers also observed possible DLL side-loading of Java processes via the legitimate Java Launcher Interface file (jli.dll), although it was not possible to confirm this activity from the available data. This legitimate DLL is included with the Java Runtime Environment. Third-party reports describe its abuse by multiple threat groups in side-loading attacks.

Command and control (C2) infrastructure

GOLD SALEM attempted to establish C2 communications through the deployment of VS Code in tunnel mode. In one incident, CTU researchers also observed the Cloudflared tunneling tool downloaded via the same method that delivered Velociraptor: the w3wp.exe SharePoint process spawned msiexec.exe, which downloaded and attempted to install the tool (cf.msi in this instance) from qaubctgg[.]workers[.]dev. It was not clear if this deployment was successful. Cloudflared is a widely used tool that Sophos researchers also observed in the Crimson Palace espionage campaign.

Tool staging

In the early observed Warlock intrusions, CTU researchers were not able to establish the method by which GOLD SALEM deployed tools to victims’ environments. However, after it began using Velociraptor in August, the group almost exclusively relied on workers[.]dev domains to stage tools for retrieval into compromised environments. On one occasion, the group also downloaded Velociraptor from a Microsoft Azure blob storage URL (hxxps://stoaccinfoniqaveeambkp[.]blob[.]core[.]windows[.]net/veeam/v2.msi).

In five of the analyzed incidents, the attacker downloaded files and tools from various subdomains of qaubctgg[.]workers[.]dev. This tool-staging server was accessible as an open directory, so CTU researchers were able to enumerate the contents. In addition to the Velociraptor installer (v2.msi), VS Code application (code.exe) and Cloudflared tunneling tool (cf.msi), tools available for download from this location included the MinIO Client (Linux and Windows versions), Radmin Server for remote access and administration, an OpenSSH installer to create remote SSH sessions, and the SecurityCheck utility (sc.msi) (see Table 3).

Table 3: Contents of tool-staging server hosted at files[.]qaubctgg[.]workers[.]dev

In an early September incident, CTU researchers observed a change. Two files (v3.msi and ssh.msi) were downloaded into a customer environment from a new workers[.]dev domain (royal-boat-bf05[.]qgtxtebl[.]workers[.]dev). Analysis confirmed that v3.msi is another version of the Velociraptor tool and ssh.msi is the OpenSSH installer.

The qgtxtebl[.]workers[.]dev domain was inaccessible, so CTU researchers could not analyze its contents. However, this domain also hosted files named cf.msi and sc.msi, according to VirusTotal. The presence of these files at this location strongly suggests that GOLD SALEM has shifted its tool-staging folder to a new domain. The certificate for this domain indicates that it was created on August 29, 2025, three days after CTU researchers published a blog post on GOLD SALEM’s use of Velociraptor. It is possible that the group adapted to continue operations.

Impact

CTU researchers observed GOLD SALEM use three ransomware variants in these compromises: Warlock, LockBit, and Babuk. The group routinely names its ransomware executables and other malware after the compromised organization.

Warlock is likely based on the code from the leaked LockBit 3.0 builder. Warlock typically adds the .x2anylock extension to encrypted files but has occasionally added the .xlockxlock extension. Ransomware deployment in one early incident was detected as LockBit, but encrypted files had the .x2anylock extension and delivered a ransom note associated with Warlock (see Figure 3). In another incident, both Warlock and LockBit 3.0 ransomware were deployed in the same environment.

Figure 3: Ransom note (“how to decrypt my data.log”) that followed Warlock deployment

In their Warlock analysis, Trend Micro researchers concluded that the observed variant was based on the leaked LockBit 3.0 code. Trend Micro and other third parties such as Microsoft also reported the group deploying LockBit in ransomware intrusions.

GOLD SALEM members have links to the LockBit ransomware as a service (RaaS) operated by GOLD MYSTIC. Chat logs leaked from a LockBit panel in May 2025 revealed details of affiliate accounts, which included qTox IDs as contact details. An affiliate known as ‘wlteaml’, who was the last to register with the LockBit panel before the contents were leaked, was linked to a qTox ID that CTU researchers observed in the Warlock ransom note. This ID is also listed on the contacts page of the Warlock leak site (see Figure 4).

Figure 4: Contact details posted on the Warlock leak site

In one incident, CTU researchers observed GOLD SALEM using Babuk ransomware to encrypt VMware ESXi servers. Third-parties have reported similar observations. Despite deploying their typical suite of tools and tactics in this incident, the threat actors delivered a ransom note with a different layout and qTox ID (see Figure 5).

Another Warlock ransomware deployment involved a different and more verbose ransom note containing yet another qTox ID (see Figure 6). This note was the first time that the threat actors explicitly referred to themselves as “Warlock Group”.

Figure 6: Ransom note containing the ‘Warlock Group’ name

Although the use of different notes is unusual, the FAQ page on the Warlock leak site indicates that the listed qTox IDs are for “technical cooperation and business cooperation” and not for “Warlock customers” requiring decryption assistance. This distinction suggests that details in ransom notes might be inconsistent, and possibly that operations are conducted by affiliates using their own methods of negotiation. However, there is no strong evidence that the Warlock scheme is a RaaS operation despite third-party reports suggesting that it is.

After Warlock deployment, GOLD SALEM lists victims on a dedicated leak site hosted on Tor. It lists victims as tiles with corporate logos or a padlock marked with a “W” (see Figure 7). If the ransom is not paid when the countdown timer expires, the threat actors publicly release the data or claim that it has been sold to a third party.

Victimology

When reviewing the list of Warlock victims, CTU researchers noted organizations that would be of interest to Chinese state-sponsored groups involved in intelligence gathering and cyberespionage. This observation raises the possibility that ransomware deployment could be a cover or a secondary activity to raise money in addition to stealing data. These organizations include telecommunication providers and nuclear energy research companies in Europe, entities engaged in aerospace or advanced technical research in Europe and Taiwan, and government-linked organizations in Southeast Asia. Another notable detail was the presence of victims based in Russia. Russian-speaking ransomware groups traditionally ban targeting of entities in Russia or the Commonwealth of Independent States (CIS), suggesting this group may be operating from a location outside of the jurisdiction or reach of Russian law enforcement.

A comparison of the Warlock victims’ sectors against leak site data for all other ransomware operations over the same period reveals some differences. Organizations in the information technology, industrial, and technology sectors account for 64% of all Warlock ransomware victims (see Figure 8), while these sectors represent just over 40% of the total ransomware victims (see Figure 9).

Figure 9. Sectors impacted across attacks by all ransomware groups from June through August 2025

The difference may indicate that GOLD SALEM focuses on certain organizations, or it might mean that the group’s initial access methodology is more viable in certain sectors due to the common security frameworks deployed. It is therefore possible that GOLD SALEM’s access is opportunistic, like most ransomware groups. While it is viable that random organizations are compromised as a smokescreen for cyberespionage operations, the relatively high rate of victim naming means that opportunistic cybercrime activity would consume a significant proportion of the group’s activity.

Attribution

CTU researchers assess with high confidence the observed incidents were intended to deploy Warlock ransomware. However, it is less clear where the threat actors are based or if a single group is responsible for all attacks. CTU analysis indicates that GOLD SALEM is a financially motivated cybercriminal group, and there is no evidence to suggest government direction or an interest in espionage.

A GOLD SALEM post to the RAMP underground forum in June 2025 sought cooperation from initial access brokers (IABs) in providing potential victims. It is unclear if the group was seeking access to carry out its own intrusions, recruiting affiliates for a nascent RaaS operation, or both. Similarly, the content on the Warlock website suggests its operators are seeking “business collaboration” but does not provide specific details. As of this publication, CTU researchers believe GOLD SALEM runs Warlock as a private ransomware operation without using external affiliates to conduct attacks.

Based on the following evidentiary points, CTU assess with low confidence that GOLD SALEM is at least partially composed of Chinese individuals:

• The use of TTPs common among cybercriminal and state-sponsored Chinese threat groups, such as the use of Cloudflare Workers and misuse of drivers from Chinese security companies Baidu Antivirus and Beijing Rising
• Demonstrated willingness to attack both Russian and Taiwanese entities
• Early exploitation of SharePoint vulnerabilities that overlaps with similar activity Microsoft observed from state-sponsored Chinese threat groups Violet Typhoon (BRONZE VINEWOOD) and Linen Typhoon (BRONZE UNION)

China has had a burgeoning cybercriminal ecosystem that has increasingly shown ambitions outside mainland China throughout the 2020s. There is precedent for an overlap between ostensibly extortion-motivated ransomware campaigns and traditional cyberespionage, as demonstrated by China-based BRONZE STARLIGHT threat group’s use of LockBit and other ransomware families.

Conclusion

GOLD SALEM, or its affiliates, have displayed above-average technical ability in their Warlock ransomware operations. Exploiting a zero-day for access and repurposing the legitimate Velociraptor tool, which has not been previously reported, demonstrate innovation. Despite some apparent focus on specific organizations that would be of interest to Chinese state-sponsored cyberespionage groups, the Warlock victimology shows that any organization could become a victim of GOLD SALEM’s ransomware operations.

Organizations should evaluate whether exposing a SharePoint server to the internet is necessary and should ensure that internet-facing servers are appropriately patched. Broad and comprehensive deployment of AV and EDR solutions have been effective at detecting this threat group’s activity at an early stage of their attacks.

Detections and threat indicators

The following Sophos protections detect activity related to this threat:

• ATK/DonutLdr-B
• Troj/KillAV-MF
• AMSI/VeeamPas-A
• Evade_40a
• Troj/Loader-GX
• Mal/EncPk-HM
• Impact_4c
• Access_3b
• Mal/DwnLd-F

The threat indicators in Table 4 can be used to detect activity related to this threat. The domains and URL may contain malicious content, so consider the risks before opening them in a browser.

Table 4: Indicators for this threat