GOLD SALEM

GOLD SALEM (also known as Storm-2603) is a financially motivated cybercriminal threat group calling itself Warlock Group responsible for the distribution of the Warlock ransomware. GOLD SALEM is likely to have begun intrusions with the intent to extort victims in March 2025. In June 2025, a persona associated with Warlock Group posted on an underground forum seeking to recruit affiliates to spread Warlock. Through August 2025 GOLD SALEM had published the names of 48 purported victims to their dedicated leak site (DLS). The group claims to sell the data to other threat actors in lieu of receiving ransom payments directly from victims.

GOLD SALEM has been observed using the Microsoft SharePoint ToolShell exploit chain to gain initial access to victims. Persistence is achieved by emplacement of ASPX webshells that allow execution of Mimikatz for credential recovery. GOLD SALEM has been observed using PsExec and Impacket (WMI) for lateral movement within compromised environments. Deployment of the Warlock ransomware payload is facilitated by Group Policy Object (GPO) with the executable frequently named after the intended victim.