Since March 2025, a new threat group known as the Warlock Group has been actively compromising networks and deploying its Warlock ransomware. Researchers at the Counter Threat Unit™ (CTU) track this group as GOLD SALEM, and while Microsoft has tentatively identified them as a China-based threat actor, CTU researchers have not yet found enough evidence to confirm this attribution. The group has quickly established itself, with 60 publicly named victims by mid-September 2025, placing it in the middle of the pack compared to other ransomware operations during the same period.
The group’s victims span a wide range of organizations, from small commercial businesses and government entities to large multinational corporations across North America, Europe, and South America. Interestingly, like many other ransomware groups, GOLD SALEM has largely avoided targeting organizations in China and Russia, despite the large number of potential targets in those countries. This pattern was broken, however, on September 8 when the group posted a Russia-based victim on its dedicated leak site (DLS). The target, an engineering services and equipment provider for the electricity generation industry, is notable because the Russian Federation is known to aggressively pursue threat actors who attack domestic organizations. Listing a Russian victim could suggest that GOLD SALEM operates from outside this jurisdiction.
GOLD SALEM’s online presence first appeared in June 2025 on the RAMP underground forum. A representative for the group solicited exploits for common enterprise applications like Veeam, ESXi, and SharePoint, as well as tools to bypass endpoint detection and response (EDR) systems. The group also sought to partner with initial access brokers (IABs), who provide them with a way into a victim’s network. It’s unclear whether GOLD SALEM was seeking to conduct its own intrusions, recruit affiliates for a new ransomware-as-a-service (RaaS) operation, or both.
The group operates a Tor-based DLS where it publishes the names of victims and data it has allegedly stolen. As of September 16, data from 19 of the 60 listed victims (32%) had been posted. The threat actors also claim to have sold data from another 27 victims (45%) to private buyers, possibly after the victims failed to pay the ransom. While cybercriminal groups sometimes sell stolen data, GOLD SALEM’s claims are likely exaggerated. The group has also posted the names of victims that were compromised by other ransomware operations. This can happen when an IAB sells access to multiple threat actors, an affiliate posts stolen data to multiple leak sites, or a victim fails to properly secure their network after an initial breach, leading to repeated compromises. For example, a U.S.-based construction contractor allegedly breached by GOLD SALEM in June 2025 had previously been a victim of other ransomware groups in October 2024 and June 2025.
Data published by GOLD SALEM and metadata from their DLS suggest the group began its attacks and extortion campaigns in March 2025. On June 10, they announced the Warlock ransomware on the RAMP forum and included a link to their first DLS. This initial site was taken down the next day, and a new one didn’t appear until late July. GOLD SALEM tends to post victims to the DLS in batches, often days or even weeks after the actual compromise. Each victim is assigned a “countdown” date—typically 12-14 days after they appear on the DLS—which serves as the deadline for paying the ransom.
Reference:
