Full Report
Analysis of the tradecraft evolution across 6 months and 11 incidents
Analysis Summary
# Tool/Technique: Velociraptor
## Overview
Velociraptor is a legitimate digital forensics and incident response (DFIR) tool observed being utilized by the threat actor GOLD SALEM in the precursor phase leading up to Warlock ransomware deployment against victim networks.
## Technical Details
- Type: Tool (DFIR/Legitimate Tool Used Maliciously)
- Platform: Likely Windows, as it is used in enterprise environments targeted by GOLD SALEM.
- Capabilities: Digital forensics and incident response capabilities, leveraged here for reconnaissance or initial post-exploitation activities.
- First Seen: Identified in incidents around August 2025.
## MITRE ATT&CK Mapping
*Note: Since Velociraptor is a legitimate tool, the mapping reflects how GOLD SALEM likely uses it.*
- T1046 - Network Service Scanning
- T1046.003 - Network Service Scanning: Local Network Service Scanning
- T1082 - System Information Discovery
- T1016 - System Network Configuration Discovery
## Functionality
### Core Capabilities
- Used as part of the playbook preceding the deployment of Warlock ransomware.
- Observed alongside other legitimate tools like VS Code.
### Advanced Features
- The specific advanced features of Velociraptor are utilized post-initial access to gather intelligence on the compromised environment for targeted ransomware deployment.
## Indicators of Compromise
- File Hashes: [Information not provided in the excerpt]
- File Names: [Not specifically listed for Velociraptor execution artifacts, but its presence is an IOC]
- Registry Keys: [Information not provided in the excerpt]
- Network Indicators: [Information not provided for Velociraptor C2, though Cloudflared tunneling tool was used separately.]
- Behavioral Indicators: Execution alongside VS Code and Cloudflared tunneling tool in the context of precursor activity.
## Associated Threat Actors
- GOLD SALEM (also tracked as Storm-2603 by Microsoft)
## Detection Methods
- [Signature-based detection: Detection highly dependent on known Velociraptor artifacts or behavioral monitoring.]
- [Behavioral detection: Monitoring for the execution of DFIR tools in unusual contexts or by unauthorized processes.]
- [YARA rules if available: YARA rules specific to Velociraptor artifacts would be relevant.]
## Mitigation Strategies
- Application whitelisting to restrict execution of legitimate but potentially misuseable tools.
- Monitoring for the execution of DFIR tools outside of approved security operations timelines or by non-security related processes.
## Related Tools/Techniques
- VS Code
- Cloudflared tunneling tool
***
# Tool/Technique: Warlock Ransomware
## Overview
Warlock is the final payload ransomware deployed by the GOLD SALEM cybercrime group. Its deployment follows extensive precursor activity observed over several months.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows (Inferred from typical enterprise targets and standard ransomware operation)
- Capabilities: Encryption of victim files, followed by a ransom note demanding payment.
- First Seen: GOLD SALEM began deploying ransomware around March 2025.
## MITRE ATT&CK Mapping
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Encryption of data on compromised systems.
- Drops a ransom note containing extortion details.
### Advanced Features
**Ransom Note Variations:**
- Initial notes contained qTox IDs (1 and 2) and ProtonMail addresses.
- Later variants used qTox ID 3.
- Specific ransom note filenames observed: `How to decrypt my data.log`, `how to decrypt my data.txt`.
- File extension observed: `.x2anylock` and `.xlockxlock`.
## Indicators of Compromise
- File Hashes: [Information not provided in the excerpt]
- File Names: Ransom notes observed with specific names (listed above). Final encrypted files use extensions like `.x2anylock` or `.xlockxlock`.
- Registry Keys: [Information not provided in the excerpt]
- Network Indicators: C2 information for prior stages (e.g., qaubctgg[.]workers[.]dev) might relate to command and control, but specific Warlock C2 is not detailed.
- Behavioral Indicators: Final execution stage following reconnaissance and credential access techniques.
## Associated Threat Actors
- GOLD SALEM (Storm-2603)
## Detection Methods
- [Signature-based detection: Signatures for specific file extensions (.x2anylock, .xlockxlock) or known ransomware binaries.]
- [Behavioral detection: Detection of mass file renaming/encryption activity.]
- [YARA rules if available: Rules targeting identified ransom note text or structures.]
## Mitigation Strategies
- Robust backups (tested and offline).
- EDR solutions focused on detecting mass file modification.
- Restricting initial access vectors (e.g., patching SharePoint).
## Related Tools/Techniques
- LockBit 3.0 (Used in earlier GOLD SALEM attempts)
- Babuk (Observed in one incident)
***
# Tool/Technique: ToolShell Exploitation of SharePoint
## Overview
ToolShell refers to the chained exploitation of zero-day vulnerabilities in on-premises SharePoint instances used by GOLD SALEM to gain initial access to victim networks.
## Technical Details
- Type: Technique/Exploit Chain (Using zero-day vulnerabilities)
- Platform: On-premises SharePoint instances (Windows Server dependent)
- Capabilities: Initial access, leading to network compromise.
- First Seen: Observed prominently around July 2025.
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.004 - Exploit Public-Facing Application: Web Application
## Functionality
### Core Capabilities
- Gaining a foothold within the target network via unpatched SharePoint servers.
### Advanced Features
- Described as a "chained exploitation" of zero-days, implying complex sequencing to achieve remote code execution or web shell deployment.
## Indicators of Compromise
- File Hashes: [Information not provided in the excerpt]
- File Names: [Information not provided in the excerpt]
- Registry Keys: [Information not provided in the excerpt]
- Network Indicators: Exploitation attempts targeting vulnerable SharePoint ports/endpoints.
- Behavioral Indicators: Unusual outbound connections or file drops originating from the SharePoint application process.
## Associated Threat Actors
- GOLD SALEM (Storm-2603)
## Detection Methods
- [Signature-based detection: IOCs related to the vulnerability exploitation delivery.]
- [Behavioral detection: Detection of unexpected process creation or file writes originating from the SharePoint service.]
- [YARA rules if available: Specific signatures related to the ToolShell web shells or initial payloads.]
## Mitigation Strategies
- Immediate patching of SharePoint vulnerabilities.
- Network segmentation to isolate public-facing applications.
## Related Tools/Techniques
- SharePoint Vulnerabilities (General class of initial access)