Warlock

Warlock is a ransomware family and associated ransomware operation active since at least March 2025, with public victim postings beginning in June 2025. It is linked to the threat group Warlock Group, which Sophos tracks as GOLD SALEM and Microsoft tracks as Storm-2603; Microsoft assessed Storm-2603 with moderate confidence as China-based, while Sophos said it lacked sufficient evidence to confirm that attribution. The operation has been described as a ransomware-as-a-service offering advertised on a Russian cybercrime forum, and it operates a Tor-based leak site for extortion and publication of stolen data. Reported victims span North America, Europe, South America, Latin America and the Caribbean, and Asia-Pacific, including sectors such as government, telecommunications, agriculture, energy and natural resources, and commercial enterprises.

Observed intrusion tradecraft includes exploitation of internet-facing on-premises Microsoft SharePoint vulnerabilities CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. In these attacks, operators uploaded ASPX web shells including spinstall0.aspx and variants spinstall.aspx, spinstall1.aspx, and spinstall2.aspx; stole SharePoint ASP.NET MachineKeys; established persistence; dumped credentials with Mimikatz; moved laterally with PsExec, Impacket, and WMI; disabled Microsoft Defender via registry changes; and distributed Warlock ransomware through modified Group Policy Objects. Sophos also observed GOLD SALEM using ToolShell exploitation to deploy an ASPX web shell, downloading a Golang-based WebSockets backdoor as Sophos-UI.exe from filebin.net, and using a BYOVD technique with a vulnerable Baidu Antivirus driver renamed googleApiUtil64.sys, exploiting CVE-2024-51324, to terminate an EDR agent.

Warlock-linked activity also includes exploitation of SmarterMail vulnerabilities in 2026. Reporting states Storm-2603 exploited CVE-2026-23760, an authentication bypass allowing administrator password reset, and abused SmarterMail’s built-in Volume Mount feature to gain full system control; probing and exploitation of CVE-2026-24423, an unauthenticated RCE issue in ConnectToHub, were also reported. In these intrusions, the actor installed Velociraptor, including via an MSI payload named v4.msi hosted on Supabase, to maintain access and stage ransomware deployment. SmarterTools confirmed that the Warlock group breached its network on January 29, 2026 through an unpatched SmarterMail instance, affected about 12 Windows servers and a secondary QC data center, took over Active Directory after several days, created new users, deployed additional payloads including Velociraptor, and then attempted file encryption.

Additional reported behaviors include abuse of Velociraptor to establish a Visual Studio Code network tunnel to attacker-controlled infrastructure, use of legitimate remote administration or support tooling in some related intrusions, and deployment alongside or in proximity to other ransomware families including LockBit, Babuk, and X2anylock. Reported file-extension and note artifacts associated with Warlock activity include .xlockxlock and .x2anylock in some incidents. Published Warlock-related indicators include filenames such as IIS_Server_dll.dll, SharpHostInfo.x64.exe, xd.exe, debug_dev.js, and the path \1[5-6]\TEMPLATE\LAYOUTS\debug_dev.js; network indicators cited in reporting include 65.38.121.198, 131.226.2.6, 134.199.202.205, 104.238.159.149, 188.130.206.168, and c34718cbb4c6.ngrok-free.app.

High-confidence reporting also ties Warlock to notable incidents including attacks following SharePoint zero-day exploitation in July 2025 and the SmarterTools breach in January 2026. Public reporting states the group had reached dozens of leak-site victim listings in 2025, with one report citing 43 listings in Q3 2025 and another citing 60 victims by mid-September 2025.