Warlock Ransomware Attacks US Firms via SharePoint Zero-Day Linked to Chinese CamoFei APT
Warlock ransomware was deployed against US firms through the exploitation of a zero-day vulnerability in Microsoft SharePoint, identified as CVE-2025-53770. The attacks have been attributed to the China-based CamoFei APT group, with evidence indicating that the threat actor leveraged the ToolShell exploit to gain initial access and deploy both Warlock and LockBit ransomware payloads. The campaign is notable for its use of DLL sideloading and a custom command and control framework referred to as ak47c2, as well as the bundling of multiple ransomware payloads in a single attack.
Security researchers have traced the origins of the Warlock ransomware to activity dating back to 2019, suggesting that the group behind it is not new but has evolved its tactics. The operation stands out because, unlike most ransomware campaigns typically associated with Russian actors, Warlock is linked to Chinese threat groups, including Budworm (APT27), Sheathminer (APT31), and Storm-2603. The attacks highlight a growing trend of Chinese APTs engaging in financially motivated ransomware operations targeting Western organizations.
Timeline
Oct 24, 2025
Reports say Warlock attacks hit U.S. firms via SharePoint zero-day
A report published on October 24, 2025 said Warlock ransomware had impacted U.S. firms through exploitation of the SharePoint zero-day. The report also linked the activity to the China-associated CamoFei APT, reinforcing the China nexus around the campaign.
Oct 22, 2025
Researchers connect Warlock intrusions to BYOVD and stolen certificate
Investigations by Symantec and Carbon Black linked Warlock intrusions to a defense-evasion tool signed with the stolen 'coolschool' certificate and to a BYOVD technique using a renamed vulnerable 2016 Baidu antivirus driver to disable security software. These findings strengthened the case that the operators were part of a broader China-linked activity cluster.
Oct 22, 2025
Vendors reveal Warlock tradecraft and links to Anylock/LockBit
By late October 2025, multiple vendors reported that Storm-2603 used DLL sideloading via 7z.exe and a malicious 7z.dll, a custom 'ak47c2' command-and-control framework, and a toolkit including backdoors, loaders, and AK47/Anylock ransomware variants. Trend Micro also assessed Warlock may be a rebrand of Anylock and observed a sample that appeared to be a modified LockBit 3.0 payload with '.x2anylock' appended to encrypted files.
Oct 22, 2025
Microsoft attributes ToolShell exploitation to three China-linked actors
Microsoft attributed exploitation of the SharePoint ToolShell zero-day to Budworm (Linen Typhoon/APT27), Sheathminer (Violet Typhoon/APT31), and Storm-2603. Microsoft said Storm-2603 used the exploit chain to deploy Warlock ransomware.
Jul 19, 2025
ToolShell zero-day exploitation observed deploying Warlock
On July 19, 2025, exploitation of the Microsoft SharePoint ToolShell zero-day (CVE-2025-53770) was observed being used to deploy Warlock ransomware. The same exploitation activity was also associated with deployment of LockBit in some cases.
Jun 1, 2025
Warlock ransomware emerges
Warlock ransomware emerged in June 2025 as a new ransomware strain later assessed by some researchers to be related to or rebranded from Anylock. Subsequent analysis also found overlap with LockBit 3.0-based payloads in some samples.
Jan 1, 2019
Stolen 'coolschool' certificate linked to Chinese threat activity
Security researchers later tied a stolen code-signing certificate labeled 'coolschool' to Chinese threat activity dating back to at least 2019, including activity tracked as CamoFei/ChamelGang. This historical linkage became part of the evidence connecting Warlock-related tooling to a longer-running China-based cluster.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
Related Stories
Warlock Ransomware Expands SharePoint Intrusions With Stealthier Post-Exploitation
**Warlock** ransomware operators have continued exploiting unpatched **Microsoft SharePoint** servers, but recent intrusions show a more mature post-exploitation playbook focused on persistence, lateral movement, and evasion after initial access. Trend Micro reported the group is now using a **bring your own vulnerable driver (BYOVD)** technique involving the `Nsec` driver, alongside tools such as **TightVNC** and the **Yuze** reverse proxy, to move more quietly across victim networks and reduce the chance of detection. The activity has affected organizations in the technology, manufacturing, and government sectors, with observed victims in the U.S., Germany, and Russia. Incident details show the operators escalating to **full domain compromise** by abusing credentials, resetting the built-in Administrator account, and adding users to the **Domain Administrators** group. They used **PsExec**, **PowerShell Remoting**, MSI-based deployment of TightVNC, and RDP-enabling utilities to maintain remote access and spread laterally, while web shells, tunneling, and other remote-control mechanisms supported persistence and command-and-control. The reporting indicates Warlock has kept its SharePoint exploitation path consistent, but has significantly strengthened the actions that follow compromise, giving defenders a clearer set of behaviors to hunt for beyond the initial server exploit.
1 months ago
Widespread Exploitation of Microsoft SharePoint ToolShell Vulnerability by Chinese-Linked Threat Actors
Hackers believed to be associated with China have exploited the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint, targeting a broad range of organizations across multiple continents. The vulnerability, which affects on-premise SharePoint servers, was disclosed as an actively exploited zero-day on July 20, 2025, prompting Microsoft to release emergency patches the following day. The flaw is a bypass for previously reported vulnerabilities (CVE-2025-49706 and CVE-2025-49704) and allows remote, unauthenticated attackers to execute code and gain full access to the file system. Multiple Chinese threat groups, including Budworm/Linen Typhoon, Sheathminer/Violet Typhoon, and Storm-2603/Warlock ransomware, have been linked to these attacks. Symantec reported that the ToolShell exploit was used to compromise organizations in the Middle East, South America, the United States, Africa, and Europe, with targets including government agencies, universities, telecommunications providers, and financial institutions. In one case, attackers exploited the vulnerability to plant webshells for persistent access, followed by the deployment of a Go-based backdoor named Zingdoor and the ShadowPad Trojan, both of which facilitate remote command execution and data exfiltration. Storm-2603, a financially motivated group, was observed deploying ransomware such as LockBit Black and WarLock/X2anylock by exploiting the same set of SharePoint vulnerabilities, with major activity noted on July 18, 2025. Their operations targeted organizations in Latin America and the APAC region, using a combination of public-facing application exploits and legitimate tools like PsExec for lateral movement and execution. The attacks highlight the critical risk posed by unpatched SharePoint servers, as attackers were able to gain initial access, establish persistence, and deploy sophisticated malware and ransomware payloads. The campaigns demonstrate a high level of coordination and technical capability, leveraging zero-day exploits and advanced post-exploitation techniques. The breach of the National Nuclear Security Administration’s Kansas City National Security Campus further underscores the severity of these attacks, as foreign actors exploited the same SharePoint vulnerabilities to infiltrate a facility responsible for manufacturing critical components for US nuclear weapons. The incident at the Kansas City plant raised significant concerns about the security of federal IT and OT systems, especially those supporting national security functions. Despite the high-profile nature of the targets, responses from affected organizations and government agencies have been limited, with some declining to comment on the incidents. The rapid release of patches by Microsoft and the subsequent widespread exploitation illustrate the importance of timely vulnerability management and the need for robust security controls around public-facing applications. Security researchers have emphasized the necessity for organizations to validate their defenses against these specific TTPs and to continuously monitor for signs of compromise related to the ToolShell exploit. The attacks serve as a stark reminder of the persistent threat posed by state-linked actors and the critical importance of securing enterprise collaboration platforms like SharePoint.
3 weeks ago
Ransomware and ToolShell Attacks Targeting Public and Private Sectors
Threat actors have increasingly exploited public-facing applications, particularly on-premises Microsoft SharePoint servers, to gain initial access to organizations, with a significant rise in attacks attributed to the ToolShell attack chain. Cisco Talos Incident Response reported that over 60 percent of their recent engagements involved this vector, a sharp increase from the previous quarter, and noted a shift in ransomware activity, with new variants such as Warlock, Babuk, and Kraken observed alongside established families like Qilin and LockBit. The use of open-source DFIR tools like Velociraptor for persistence was also documented, marking a novel tactic in ransomware operations, and some attacks were linked to the China-based group Storm-2603. Ransomware continues to pose a persistent threat, particularly to public sector organizations, with Trustwave reporting nearly 200 government entities worldwide victimized in 2025 alone. Babuk and Qilin have been identified as the most active ransomware groups targeting the public sector, causing significant operational downtime, service outages, and financial losses. The evolving tactics of ransomware actors and the increasing exploitation of vulnerabilities in public-facing applications underscore the need for robust segmentation and rapid incident response measures across both public and private sectors.
1 months ago