Overview
Warlock Group — tracked by vendors as GOLD SALEM and by Microsoft as Storm-2603 — is a fast-maturing, financially motivated ransomware operation first observed in March 2025. The group leverages high-impact Microsoft SharePoint vulnerabilities (the “ToolShell” chain) to gain initial access, implants ASPX web shells, harvests credentials (Mimikatz), moves laterally (PsExec, Impacket/WMI), and deploys Warlock ransomware across enterprise networks. Multiple vendors report rapid victim growth, an active dedicated leak site and affiliate recruitment activity. (Secureworks)
Attribution and Known Aliases
Microsoft assesses with moderate confidence that the cluster it calls Storm-2603 is China-based; other vendors (Sophos/CTU) track GOLD SALEM but note insufficient public evidence for definitive nation-state attribution. Treat attribution as tentative; prioritize technical detection and containment. (Microsoft)
Tactics, Techniques, and Procedures Used by Warlock Ransomware Group
High-level attack chain
- Reconnaissance / Targeting — scanning and targeted reconnaissance of Internet-facing on-premises SharePoint servers (ToolPane endpoint checks). (Unit 42)
- Initial Access — exploit of on-premises SharePoint vulnerabilities (ToolShell chain: CVE-2025-49704 / CVE-2025-49706 and related CVEs such as CVE-2025-53770/53771) to upload and execute payloads (spinstall0.aspx / ToolShell). (Microsoft)
- Execution / Persistence — deploy ASPX web shells (spinstall0.aspx), create scheduled tasks, manipulate IIS and load malicious .NET assemblies to persist. (Microsoft)
- Credential Access — memory-scraping via Mimikatz against LSASS to harvest plaintext credentials and NTLM hashes. (Microsoft)
- Lateral Movement — PsExec, Impacket (WMI/remote execution), and Windows administrative tooling. (Secureworks)
- Collection / Exfiltration — theft of SharePoint MachineKeys and broader data staging; evidence of both public leak site listings and private sale of stolen data. (Unit 42)
- Impact (Ransomware/Extortion) — deployment of Warlock ransomware via GPOs or serialized deployment; file encryption and extortion with data leak posting. (Secureworks)
Known Tooling, Infrastructure, and Indicators of Compromise (IOCs) of Storm-2603 Ransomware Gang
Malware / Tools observed
- Warlock ransomware executable (campaign files named after victims during GPO distribution). (Secureworks)
- ASPX web shells (spinstall0.aspx and variations) used to maintain web-context execution. (Unit 42)
- Custom .NET modules used to extract SharePoint MachineKeys and exfiltrate them in pipe-delimited responses. (Unit 42)
- Use of Mimikatz, PsExec, Impacket, PowerShell loaders and encoded commands. (Microsoft)
Sample IOCs (validate in your own environment before action)
NOTE: Treat these as starting points for hunting. Confirm via vendor feeds and your telemetry before blocking; some IPs/URLs rotate rapidly. (Unit 42)
From Unit42 telemetry (exploitation / payload hosting):
- IPs observed in exploitation/testing:
45.86.231.241,51.161.152.26,91.236.230.76,92.222.167.88. (Unit 42) - Payload delivery / associated IPs:
96.9.125.147,107.191.58.76,104.238.159.149. (Unit 42) - Example malicious payload host (observed loader):
hxxps://ice.theinnovationfactory[.]it/static/4l4md4r.exe(145.239.97.206). (Unit 42)
From Secureworks / Sophos reporting (leak site & victimology):
- Dedicated leak site and names of victims published (48 victims published through Aug/Sep 2025 in vendor reporting). (Secureworks)
Victimology, Objectives & Logistics of Storm-2603 Ransomware
Victim profile. Warlock compromises have impacted a cross-section of sectors — manufacturing, healthcare, higher education, energy and services — with internet-exposed, unpatched SharePoint servers forming a common denominator. Victims span North America and Europe among reported cases. (Unit 42)
Motivation. Financial extortion (ransom demands) and secondary monetization (selling stolen data to other cybercriminals) — the group advertises affiliate recruitment and lists victims on a leak site for extortion leverage or sale. (Secureworks)
Operations model. Evidence of affiliate recruitment (forum posts advertising Warlock to potential affiliates) suggests a Ransomware-as-a-Service (RaaS) or semi-affiliate model where operators handle initial access and/or leak operations while affiliates perform distribution. (www.trendmicro.com)
Incident Response Playbook (concise steps for IR teams)
- Detect & Triage — Identify affected SharePoint instances; capture IIS logs, web directories, W3WP memory/coredumps; snapshot VMs for forensic analysis. (Unit 42)
- Contain — Isolate compromised web servers from the network (air-gap if possible), disable internet access for impacted hosts, and block C2 domains/IPs. (Unit 42)
- Credentials — Immediately rotate service and domain admin credentials; investigate lateral movement paths; force multifactor authentication (MFA) where not already enforced. (Microsoft)
- Eradicate — Remove web shells and backdoors; patch and redeploy SharePoint from clean images; harden IIS configuration and rotate ASP.NET machine keys. (Microsoft)
- Recover — Restore from validated immutable backups; validate system integrity before reconnecting to production networks. (Secureworks)
- Post-Incident — Share IOC/artifacts with industry ISACs and vendor feeds; perform a tabletop to harden detection and patching cadence. (www.trendmicro.com)
Strategic Recommendations for CISOs
- Elevate patch management for internet-facing servers. Internet-exposed appliance and application patching must be mission-critical — treat SharePoint servers as high risk. (Microsoft)
- Assume breach for legacy on-prem platforms. Where on-prem SharePoint cannot be immediately patched, apply compensating controls (network segmentation, Web Application Firewall with specific rules, restrict access via VPN/allow-lists). (Microsoft)
- Invest in rapid telemetry and logging. Ensure IIS, authentication, and EDR telemetry are retained and actionable; create prebuilt hunts for ToolPane/ASPX indicators. (Unit 42)
- Coordinate with external partners. Subscribe to vendor TI (Microsoft Defender TI, Secureworks CTU, Unit42) and ensure legal/PR are briefed on extortion/notification scenarios. (Secureworks)
MITRE ATT&CK Mapping & Technical Details of Storm-2603 Ransomware
| MITRE ID | Technique (APA) | Observed Behavior / Evidence (technical detail) | Detection / Hunting Notes |
|---|---|---|---|
| T1190 | Exploit Public-Facing Application | Exploitation of on-premises Microsoft SharePoint CVEs (notably CVE-2025-49704, CVE-2025-49706 and related ToolShell chain). Attackers upload and execute ASPX payloads (e.g., spinstall0.aspx). | Monitor IIS logs for large/abnormal POSTs to /_layouts/15/ToolPane.aspx and unknown .aspx files in SharePoint virtual directories; correlate with sudden w3wp.exe child process creation. (Microsoft) |
| T1505.003 | Server Software Component: Web Shells / IIS Assemblies | Persistent ASPX web shells placed in SharePoint web roots, malicious .NET assemblies loaded into IIS worker process for post-exploit execution and MachineKey access. | File integrity monitoring on SharePoint web directories; detect unknown .aspx files and unusual file creation times; alert on w3wp.exe loading unsigned/unknown .NET assemblies. (Unit 42) |
| T1003 | OS Credential Dumping (Mimikatz) | Memory scraping of LSASS and credential harvesting using Mimikatz or similar tools to extract plaintext credentials and NTLM hashes for lateral movement. | EDR-based detection for LSASS read attempts and common Mimikatz API calls; enable LSA protection and restrict debug privileges. (Sophos News) |
| T1021 / T1569 | Remote Services / Lateral Movement (PsExec, Impacket, WMI) | Use of PsExec, Impacket tools and remote WMI/SMB to execute payloads across hosts; abuse of administrative tools for rapid lateral spread and GPO abuse for mass deployment. | Hunt for command lines invoking psexec, wmic, impacket-* binaries; monitor for unusual remote process creation and off-hours administrative activity. (Sophos News) |
| T1041 | Exfiltration Over C2 (HTTP(s)) | Exfiltration of SharePoint MachineKeys and staged data via HTTP(S) to attacker-controlled hosts; evidence of both public leak site listings and private data sales. | Network egress monitoring: large/regular POSTs to external hosts from SharePoint servers; inspect proxy logs for anomalous multipart/form-data uploads. (Unit 42) |
| T1486 | Data Encrypted for Impact (Ransomware) | Deployment of “Warlock” ransomware (files renamed/encrypted) and posting of victims on a dedicated leak site; evidence of both encryption and extortion (ransom demands / data sales). | Endpoint detection for mass file encryption patterns (rapid file renames, high file I/O by common process), alerts on deletion/modification of shadow copies, and monitoring of leak site postings. (Secureworks) |
| T1490 | Inhibit System Recovery | Attempts to delete or corrupt backups and shadow copies and modification of GPOs to prevent recovery; use of privileged accounts for these actions. | Monitor for Volume Shadow Copy Service (vssadmin) usage and unexpected GPO changes; require change control workflows and MFA for admin console access. (Sophos News) |
Known Victims & Recent Incidents Involving Storm-2603 Ransomware
Here is a chronological incident timeline table with dates, victim names, claimed data types, and source confidence / links. Use it to track Warlock’s evolving operations and validate for your internal intelligence repository.
| Date / Period | Victim / Organization | Claimed / Known Data & Impact | Notes & Source Confidence | Link / Source |
|---|---|---|---|---|
| ~ End of July 2025 | Orange Belgium | ~850,000 customer records: surname, first name, telephone number, SIM card number, PUK code, tariff plan. Company states no passwords, emails, bank/financial data compromised. | High confidence (company statement) | Orange Belgium confirms breach & details (corporate.orange.be) |
| August 2025 (mid) | Colt Technology Services | Warlock claims ~1 million documents exfiltrated, including financial records, network architecture, employee/customer contracts and internal files. Dark web auction listing. | Medium-High (attacker claim + vendor reporting + Colt confirmation of data access) | Colt confirms data breach & auction (TechRadar) |
| August 12, 2025 (attack begins) | Colt Technology Services | Internal systems (BSS / support systems) taken offline; stolen files posted to leak site; auction of document archive. | Medium (timeline based on leak post + vendor investigation) | Colt breach claimed by Warlock (RH-ISAC) |
| August 2025 (by 20 Aug) | Multiple (Colt, Orange, others) | Warlock claims 22 new victims since 16 August; adding to leak site list. | Low to Medium (attacker claims, third-party tracking) | Warlock claims more victims as attacks hit Colt, Orange (Computer Weekly) |
| August 2025 | Orange Belgium | Media confirmation: 850,000 users’ personal and SIM/PUK data. | High (company disclosure + media) | SecurityWeek: Orange Belgium Data Breach (SecurityWeek) |
| Late August 2025 | Colt (continued) | KELA analysis: file listing ~400,977 filenames from “~1 million claimed,” includes Excel, Word, PowerPoint files referencing network configs, HR, finances. | Medium (dark web leaked list analysis) | KELA: Warlock attack on Colt leak analyzed (KELA Cyber Threat Intelligence) |
| August 2025 | Orange Belgium | Simultaneous disclosure and media coverage: 850,000 records, SIM / PUK / tariff data. | High | Bloomberg: Orange hack, data published (Bloomberg) |
| August 2025 | Orange / Others | Warlock adds telecoms as high-profile targets; leaks and claims broaden scope beyond earlier victims. | Low to Medium | SLCyber: Warlock gang targets Orange & Colt (slcyber.io) |
Note: vendors continue to add victims and rotate IOCs; validate any blocking list against your TI feeds before enforcement. (Secureworks)
