warlock
ACTIVERansomware-as-a-Serviceransomware group
🇨🇳ChinaWarlock ransomware emerged in mid-2025 and has been attributed by Microsoft, Sophos, and Trend Micro with moderate-to-high confidence to the China-based threat actor tracked as Storm-2603 (also GOLD SALEM), representing a significant and unusual instance of Chinese state-affiliated activity deploying ransomware. The group exploited the SharePoint ToolShell zero-day vulnerability for initial access and operates a RaaS platform, with potential connections to Linen Typhoon and Violet Typhoon APT clusters — suggesting a hybrid of espionage and financial crime motivations. As of mid-2025 at least 11 confirmed incidents have been attributed to Warlock, making it a notable outlier as a China-linked ransomware operation.
Group Activity
Last 12 monthsVictims (79)
energogroup.net
No description provided.
goldenline.com
No description provided.
bengineered.com.au
No description provided.
mnpease.ca
No description provided.
metro.local
No description provided.
cybervector.co.uk
No description provided.
fabrity.local
No description provided.
miltech.local
No description provided.
mytune.me
No description provided.
atg.cz
No description provided.
tein.co.jp
No description provided.
bel.quadra.ru
No description provided.
ippm.org
No description provided.
sf.walltopia.com
No description provided.
nartis.ru
No description provided.
alphasys.bo
No description provided.
silanosn.local
No description provided.
siball.net
all data
chroma.com.tw
all data
ferus-smit.home
all data
jubileelife.com
all data
kmssa.net
all data
webville.net
all data
elssurveying.com
all data
medkar.com
all data
okan.ru
finance data
mffood.com
300G data
gmpc.com
No description provided.
airfastindonesia.com
all user data
infoniqa.com
165g data, including internal documents, financial documents, employee information, CRM database, HR database, SaaS database
gmtaconline
The data has been bought by other buyers (not victims)
woodboure
The data has been bought by other buyers (not victims)
STRGOME
The data has been bought by other buyers (not victims)
argeninta
The data has been bought by other buyers (not victims)
houra
The data has been bought by other buyers (not victims)
houxt
The data has been bought by other buyers (not victims)
getdomain
The data has been bought by other buyers (not victims)
kipl
The customer has not paid, and there are no other buyers within the validity period, please enjoy your data
nszi
The customer has not paid, and there are no other buyers within the validity period, please enjoy your data
accsnet.com
all data
advion.com
all data
mysecop.com
all data
atcmanufacturing
all data
Orange
This is only a part of the files and file list. The full set of files needs to be purchased separately.
orange.com
This is only a part of the files and file list. The full set of files needs to be purchased separately.
anthembio.com
all data
syspro.com
all data
brightwork.com
[AI generated] BrightWork.com is a project management software company that provides solutions for teams and organizations to manage and track their projects. I...
starsalliance.com
The data has been purchased by other buyers
sipecom.com
all data
Infrastructure
http://warlockhga5iw3t54ps5iytlilf7hlvxy7kwrkidspn4qoh64s4vsuyd.onion10315ms
1h ago
http://warlock5zli2g4nuvixkgyivpda4ktg6flx5lbtw3u6g5lidgxzjc6id.onion7891ms
1h ago
http://warlockoact3ayzqwlnay27b633bku2gmpq34dxb43v3qriujfea4yyd.onion49804ms
1h ago
http://warlockmdu64clit5pdwbp5hsd576vcjjigfwbtz5gtthmuy2fiqblad.onion1737ms
1h ago
http://warlock4fagqhnfuxtcmncfepe3jc33e33dmj2jsk64svxaerm5zhaqd.onion7628ms
1h ago
http://warlock6d4etw5gwwaakh6auh6cwkinhk2bx7bbldu4m5axlcwmbuuyd.onion6706ms
1h ago
unreachable
http://warlockoact3ayzqwlnay27b633bku2gmpq34dxb43v3qriujfea4yyd.onion/60028ms
1h ago