Warlock Group: The Rise of GOLD SALEM (Storm-2603) in 2025’s Ransomware Landscape

**Executive Summary:** This report profiles Warlock Group (GOLD SALEM / Storm-2603), an emerging financially motivated ransomware actor that rapidly weaponized multiple Microsoft SharePoint zero-days (ToolShell CVEs) in 2025 to gain remote code execution, deploy ASPX web shells, exfiltrate data and execute double-extortion across roughly 60 victims worldwide; the group leverages a mix of custom tooling (AK47 C2), legitimate tools abused for persistence and access, and established post-exploitation techniques like Mimikatz, PsExec, and GPO-driven deployments.