The Reveal Platform
Intel Name: Gold salem tradecraft for deploying warlock ransomware
Date of Scan: December 16, 2025
Impact: High
Summary: In mid-August 2025, researchers observed the misuse of the legitimate Velociraptor DFIR tool as part of suspected ransomware precursor activity. Further investigation across customer environments indicated with high confidence an intent to deploy Warlock ransomware. Warlock is operated by the cybercrime group tracked as GOLD SALEM. This group has leveraged chained exploitation of zero-day vulnerabilities, collectively known as ToolShell. The vulnerabilities were abused in on-premises SharePoint instances to gain initial network access. Microsoft attributed this activity with moderate confidence to a China-based group named Storm-2603, also tracked as GOLD SALEM.
