GOLD SALEM tradecraft for deploying Warlock ransomware

This analysis examines the evolving tactics of the GOLD SALEM cybercrime group in deploying Warlock ransomware over a six-month period across 11 incidents. The group exploited SharePoint vulnerabilities for initial access and utilized tools like Velociraptor, VMTools AV killer, and Cloudflared for various attack stages. They targeted multiple sectors, with a focus on IT, industrial, and technology. The group used Warlock, LockBit, and Babuk ransomware variants, often naming executables after victim organizations. Evidence suggests possible Chinese origins, though the group appears primarily financially motivated. GOLD SALEM demonstrated advanced technical abilities, including zero-day exploitation and repurposing of legitimate tools.

Pulse ID: 693ab3bf9609b5d5e8ecb906
Pulse Link: https://otx.alienvault.com/pulse/693ab3bf9609b5d5e8ecb906
Pulse Author: AlienVault
Created: 2025-12-11 12:06:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #Cloud #CyberCrime #CyberSecurity #ICS #InfoSec #LockBit #OTX #OpenThreatExchange #RAT #RansomWare #UK #ZeroDay #bot #AlienVault

暗网勒索软件团伙LockBit 5.0新的服务器IP地址和明网域名被泄露。
#LockBit
https://www.anwangxia.com/4540.html

Multi-Platform Ransomware Written in Rust

A new ransomware family named 01flip, written in Rust, has been observed targeting victims in the Asia-Pacific region. The malware supports multi-platform architectures and has been used in attacks on critical infrastructure. Initial access was gained through exploitation of vulnerabilities in internet-facing applications. The ransomware encrypts files using AES-128-CBC and RSA-2048, appending the .01flip extension. It employs evasion techniques like using low-level APIs and encoding strings. A possible connection to the LockBit group was noted. The campaign appears to be in early stages, with limited victims so far. Data stolen in the attacks has been offered for sale on dark web forums.

Pulse ID: 693970602971d7b0012cf536
Pulse Link: https://otx.alienvault.com/pulse/693970602971d7b0012cf536
Pulse Author: AlienVault
Created: 2025-12-10 13:06:40

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CyberSecurity #InfoSec #LockBit #Malware #OTX #OpenThreatExchange #RansomWare #Rust #bot #AlienVault

LockBit 5.0 – nowa infrastruktura, publicznie dostępna lista zhakowanych firm i OPSEC grupy pod znakiem zapytania

Nie tak dawno na łamach Sekuraka pisaliśmy o sojuszu grup LockBit, DragonForce oraz Qilin i reaktywacji Lockbit 5.0 z zaawansowanym, wieloplatformowym malwarem, wykorzystującym m.in. silne szyfrowanie. Zgodnie z oceną badaczy z Trend Micro, powrót Lockbit stanowi realne zagrożenie oraz może skutkować zwiększoną częstotliwością ataków, o czym mieliśmy okazję się przekonać...

#Aktualności #Awareness #Lockbit #Opsec #OSINT #Ransomware

https://sekurak.pl/lockbit-5-0-nowa-infrastruktura-publicznie-dostepna-lista-zhakowanych-firm-i-opsec-grupy-pod-znakiem-zapytania/

LockBit 5.0: Key IP + Domain Exposed in Rare OPSEC Breakdown
https://www.technadu.com/lockbit-5-0-infrastructure-details-exposed-by-researchers-in-major-security-failure-including-a-key-ip-address-and-domain/615296/

Researcher Rakesh Krishnan uncovered and published IP 205.185.116.233 and domain karma0[.]xyz — the backbone of LockBit 5.0’s new leak site. The server runs with open RDP, FTP, HTTP, and other services, exposing glaring vulnerabilities in LockBit’s infrastructure.

A meaningful win for defenders, enabling immediate blocking and further intelligence gathering.

#CyberSecurity #ThreatIntel #Ransomware #LockBit #BlueTeam

OFAC + U.K. + Australia sanction Media Land LLC for providing bulletproof hosting to LockBit, BlackSuit, Play, Evil Corp & Black Basta.
Volosovik (Yalishanda), Zatolokin & Pankova named, along with ML Cloud, MLT & DC Kirishi.

Full report: https://www.technadu.com/russian-hosting-provider-media-land-sanctioned-for-supporting-lockbit-blacksuit-and-play-ransomware/613982/

Follow @technadu for continuous threat intel.
#CybersecurityNews #Ransomware #LockBit #ThreatIntel

NEW - 🚨 The UK National Crime Agency (#NCA) has exposed and sanctioned Alexander Volosovik, aka “Yalishanda,” for running Russian bulletproof hosting operations linked to LockBit, Evil Corp and BlackBasta ransomware.

Read: https://hackread.com/uk-bulletproof-hosting-operator-lockbit-evil-corp/

#CyberSecurity #Ransomware #LockBit #EvilCorp #CyberCrime

"- 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date.

- 1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure.

- 14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns.

- LockBit's reappearance with version 5.0 signals potential re-centralization after months of fragmentation."

https://thehackernews.com/2025/11/ransomwares-fragmentation-reaches.html

#CyberSecurity #Ransomware #Lockbit

Gemäß einer Analyse von Check Point Research weise das dritte Quartal 2025 das bislang dezentralisierteste Ransomware‑Ökosystem auf. Die Untersuchung habe 85 aktive Ransomware‑ und Erpressungsgruppen sowie 1 590 Opfer ergeben, die über 85 Leak‑Seiten publik gemacht worden seien. Und: LockBit mit Version 5.0 ist zurück, woraus ein neuer Trend zur Zentralisierung abgeleitet werden könnte.

https://maniabel.work/archiv/232
#Ransomware #Lockbit #infosec #infosecnews #BeDiS

Imagine someone selling hacked access like real estate—unwitting gateways to ransomware attacks worth millions. The Volkov case lifts the veil on this shadowy cyber trade. Curious how it all unfolds?

https://thedefendopsdiaries.com/the-critical-role-of-initial-access-brokers-lessons-from-the-volkov-case/

#initialaccessbroker
#ransomware
#cybercrime
#volkovcase
#yanluowang
#lockbit
#cryptocurrency
#cybersecuritytrends
#lawenforcement

LockBit 5.0 is back - faster encryption, random file extensions & advanced obfuscation.
Group claims they’re “penetration testers,” not cybercriminals.

Details 👇
https://www.technadu.com/lockbit-5-0-resurfaces-faster-encryption-and-randomized-extensions-hackers-say-in-interview-they-see-themselves-as-penetration-testers/612719/

#LockBit #Ransomware #RaaS #CyberSecurity #InfoSec

Защита от шифровальщиков. Как происходят атаки и что делать?

За последний год даже те, кто не связан с информационной безопасностью или ИТ-администрированием, узнали о хакерских атаках, в ходе которых уничтожаются или шифруются данные. Теоретически, массовая атака программ-вымогателей может временно парализовать важную инфраструктуру: остановить транспорт, лишить магазины, аптеки и АЗС возможности обслуживать клиентов. Хотя такая картина кажется гиперболизированной, она вполне возможна — особенно на фоне недавних событий и произошедших инцидентов. В статье расскажем о масштабах угрозы и о том, как организации могут противостоять атакам программ-вымогателей. На основе реальных расследований поделимся не только техническими деталями, но и практическими рекомендациями, которые помогут снизить риски и вовремя отреагировать на инцидент.

https://habr.com/ru/companies/jetinfosystems/articles/962282/

#кибербезопасность #ransomware #иб #информационная_безопасность #cybersecurity #расследование_инцидентов #soc #phishing #фишинг #lockbit

💿 LockBit’s back with a new release, and it’s going viral for all the wrong reasons.

After last year’s takedown, LockBit has returned — rebuilt, rebranded, and already hitting new victims worldwide.

Learn more as #CheckPoint Research uncovers LockBit 5.0: https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/

#CyberSecurity #LockBit

#CheckPoint Research identified #LockBit rapid resurgence after its disruption in 2024, with a dozen organizations hit in September 2025, half by the new LockBit 5.0 (“ChuongDong”) variant. The group is deploying attacks across #Windows, #Linux, and #ESXi environments in Europe, the Americas, and Asia. LockBit 5.0 adds multi-platform builds, stronger anti-analysis, faster encryption, and more.

https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/

🚨 From fake Google Careers pages to Figma phishing, attackers continued to exploit trusted platforms at scale in October.

See all major cyber attacks & threats over the past 30 days, including #LockBit 5.0 and the new #Tykit phishing kit ⬇️
https://any.run/cybersecurity-blog/cyber-attacks-october-2025/?utm_source=mastodon&utm_medium=post&utm_campaign=cyberattacks-october2025&utm_term=291025&utm_content=linktoblog

#Cybersecurity #infosec

LockBit Returns — and It Already Has Victims
#LockBit
https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/

📢 LockBit revient avec la variante 5.0 « ChuongDong » et cible Windows, Linux et ESXi
📝 Source: Check Point Blog (Check Point Research), 23 octobre 2025.
📖 cyberveille : https://cyberveille.ch/posts/2025-10-24-lockbit-revient-avec-la-variante-5-0-chuongdong-et-cible-windows-linux-et-esxi/
🌐 source : https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/
#IOC #LockBit #Cyberveille

Quand la sécurité vacille

L’alarme n’a pas sonné. Et pourtant, le danger surfe déjà derrière les pare-feux.

Sécuriser, produire, protéger : ces verbes semblaient autrefois rassurants. Aujourd’hui, ils résonnent comme des cibles potentielles.

Verisure, géant européen de la télésurveillance, est la victime d’une fuite de données via un prestataire externe. Jaguar-Land Rover, pilier et fleuron de l’industrie britannique, paralysé par une cyberattaque en aout 2025. Elle est classée événement systémique de catégorie 3 par le britannique CMC (Cyber Monitoring Center).

L'impact des chiffres donnent le vertige. Plus de 5 000 entreprises britanniques impactées, une perte estimée à 2,5 milliards d’euros, des chaînes de production paralysées, des systèmes ERP, SCADA, CRM figés dans le silence des écrans noirs, ou bleus. La vulnérabilité n’est plus théorique — elle se mesure désormais en milliards et en emplois suspendus.

Deux mondes, un même talon d’Achille : la dépendance au numérique, devenu à la fois moteur et maillon faible de nos sociétés. Où quand l’interconnexion fragilise. La cybersécurité n’est plus une question de spécialistes, mais de survie économique.

Les chaînes d’approvisionnement, les systèmes de production, les services du quotidien : tout peut s’effondrer à la vitesse d’un clic. Face à des menaces hybrides, industrielles et financières, la question n’est plus « si » nous serons touchés — mais « quand ».

(Crédits : Zulfugar Karimov/Pexels)

https://librexpression.fr/cyberattaque-contre-jaguar-land-rover

https://librexpression.fr/verisure-fait-face-a-une-fuite-de-donnees

#Bridgestone #canada #China #cyberattack #databreaches #europe #France #informatique #JLR #librexpression #NCSC #ransomware #russie #shinyhunters #scattered #UK #DAF #Lockbit #Play #Suede #verisure

Quand la sécurité vacille

L’alarme n’a pas sonné. Et pourtant, le danger surfe déjà derrière les pare-feux.

Verisure, géant européen de la télésurveillance, est la victime d’une fuite de données via un prestataire externe. Jaguar-Land Rover, pilier et fleuron de l’industrie britannique, paralysé par une cyberattaque en aout 2025. Elle est classée événement systémique de catégorie 3 par le britannique CMC (Cyber Monitoring Center).

Deux mondes, un même talon d’Achille : la dépendance au numérique, devenu à la fois moteur et maillon faible de nos sociétés. Où quand l’interconnexion fragilise. La cybersécurité n’est plus une question de spécialistes, mais de survie économique.

(Crédits : Zulfugar Karimov/Pexels)

https://librexpression.fr/cyberattaque-contre-jaguar-land-rover

https://librexpression.fr/verisure-fait-face-a-une-fuite-de-donnees

#Bridgestone #canada #China #cyberattack #databreaches #europe #France #informatique #JLR #librexpression #NCSC #ransomware #russie #shinyhunters #scattered #threads #UK #DAF #Lockbit #Play #Suede #Verisure

I like my individualized mail addresses. I just received a phishing mail to update my data with a Swiss payment system (TWINT) - but it was sent to an address I created for a doctor's appointment system (Onedoc).
The message also contains my postal address from the time I created that account.

#databreach #switzerland #Onedoc #Lockbit #twint #phishing