Warlock Ransomware Attacks US Firms via SharePoint Zero-Day Linked to Chinese CamoFei APT
Warlock ransomware was deployed against US firms through the exploitation of a zero-day vulnerability in Microsoft SharePoint, identified as CVE-2025-53770. The attacks have been attributed to the China-based CamoFei APT group, with evidence indicating that the threat actor leveraged the ToolShell exploit to gain initial access and deploy both Warlock and LockBit ransomware payloads. The campaign is notable for its use of DLL sideloading and a custom command and control framework referred to as ak47c2, as well as the bundling of multiple ransomware payloads in a single attack.
Security researchers have traced the origins of the Warlock ransomware to activity dating back to 2019, suggesting that the group behind it is not new but has evolved its tactics. The operation stands out because, unlike most ransomware campaigns typically associated with Russian actors, Warlock is linked to Chinese threat groups, including Budworm (APT27), Sheathminer (APT31), and Storm-2603. The attacks highlight a growing trend of Chinese APTs engaging in financially motivated ransomware operations targeting Western organizations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Reports say Warlock attacks hit U.S. firms via SharePoint zero-day
A report published on October 24, 2025 said Warlock ransomware had impacted U.S. firms through exploitation of the SharePoint zero-day. The report also linked the activity to the China-associated CamoFei APT, reinforcing the China nexus around the campaign.
Researchers connect Warlock intrusions to BYOVD and stolen certificate
Investigations by Symantec and Carbon Black linked Warlock intrusions to a defense-evasion tool signed with the stolen 'coolschool' certificate and to a BYOVD technique using a renamed vulnerable 2016 Baidu antivirus driver to disable security software. These findings strengthened the case that the operators were part of a broader China-linked activity cluster.
Vendors reveal Warlock tradecraft and links to Anylock/LockBit
By late October 2025, multiple vendors reported that Storm-2603 used DLL sideloading via 7z.exe and a malicious 7z.dll, a custom 'ak47c2' command-and-control framework, and a toolkit including backdoors, loaders, and AK47/Anylock ransomware variants. Trend Micro also assessed Warlock may be a rebrand of Anylock and observed a sample that appeared to be a modified LockBit 3.0 payload with '.x2anylock' appended to encrypted files.
Microsoft attributes ToolShell exploitation to three China-linked actors
Microsoft attributed exploitation of the SharePoint ToolShell zero-day to Budworm (Linen Typhoon/APT27), Sheathminer (Violet Typhoon/APT31), and Storm-2603. Microsoft said Storm-2603 used the exploit chain to deploy Warlock ransomware.
ToolShell zero-day exploitation observed deploying Warlock
On July 19, 2025, exploitation of the Microsoft SharePoint ToolShell zero-day (CVE-2025-53770) was observed being used to deploy Warlock ransomware. The same exploitation activity was also associated with deployment of LockBit in some cases.
Warlock ransomware emerges
Warlock ransomware emerged in June 2025 as a new ransomware strain later assessed by some researchers to be related to or rebranded from Anylock. Subsequent analysis also found overlap with LockBit 3.0-based payloads in some samples.
Stolen 'coolschool' certificate linked to Chinese threat activity
Security researchers later tied a stolen code-signing certificate labeled 'coolschool' to Chinese threat activity dating back to at least 2019, including activity tracked as CamoFei/ChamelGang. This historical linkage became part of the evidence connecting Warlock-related tooling to a longer-running China-based cluster.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Warlock ransomware exploited SharePoint ToolShell and BYOVD to breach enterprises
Sophos reported that the ransomware group **Warlock Group**, tracked as **GOLD SALEM**, has been compromising enterprise networks and deploying **Warlock ransomware** since March 2025, with 60 publicly named victims through mid-September across North America, Europe, and South America. The operation used a Tor-based leak site, activity on underground forums, and possibly relationships with initial access brokers to support intrusions and extortion. Observed attacks began with exploitation of the **SharePoint ToolShell** exploit chain, followed by deployment of an **ASPX web shell** and a Golang-based WebSockets backdoor for persistence. Sophos said the actors stole credentials with **Mimikatz**, moved laterally with **PsExec** and **Impacket**, deployed ransomware through **Group Policy Objects**, and disabled endpoint protection using a **bring-your-own-vulnerable-driver** technique involving a vulnerable **Baidu Antivirus** driver; investigators also observed abuse of **Velociraptor** to establish a **Visual Studio Code** network tunnel. Microsoft tracks the activity as **Storm-2603** and assesses it with moderate confidence as China-based, though Sophos said it could not independently confirm that attribution.
May 25, 2026
Warlock Ransomware Expands SharePoint Intrusions With Stealthier Post-Exploitation
**Warlock** ransomware operators have continued exploiting unpatched **Microsoft SharePoint** servers, but recent intrusions show a more mature post-exploitation playbook focused on persistence, lateral movement, and evasion after initial access. Trend Micro reported the group is now using a **bring your own vulnerable driver (BYOVD)** technique involving the `Nsec` driver, alongside tools such as **TightVNC** and the **Yuze** reverse proxy, to move more quietly across victim networks and reduce the chance of detection. The activity has affected organizations in the technology, manufacturing, and government sectors, with observed victims in the U.S., Germany, and Russia. Incident details show the operators escalating to **full domain compromise** by abusing credentials, resetting the built-in Administrator account, and adding users to the **Domain Administrators** group. They used **PsExec**, **PowerShell Remoting**, MSI-based deployment of TightVNC, and RDP-enabling utilities to maintain remote access and spread laterally, while web shells, tunneling, and other remote-control mechanisms supported persistence and command-and-control. The reporting indicates Warlock has kept its SharePoint exploitation path consistent, but has significantly strengthened the actions that follow compromise, giving defenders a clearer set of behaviors to hunt for beyond the initial server exploit.
Mar 21, 2026
Widespread Exploitation of Microsoft SharePoint ToolShell Vulnerability by Chinese-Linked Threat Actors
Hackers believed to be associated with China have exploited the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint, targeting a broad range of organizations across multiple continents. The vulnerability, which affects on-premise SharePoint servers, was disclosed as an actively exploited zero-day on July 20, 2025, prompting Microsoft to release emergency patches the following day. The flaw is a bypass for previously reported vulnerabilities (CVE-2025-49706 and CVE-2025-49704) and allows remote, unauthenticated attackers to execute code and gain full access to the file system. Multiple Chinese threat groups, including Budworm/Linen Typhoon, Sheathminer/Violet Typhoon, and Storm-2603/Warlock ransomware, have been linked to these attacks. Symantec reported that the ToolShell exploit was used to compromise organizations in the Middle East, South America, the United States, Africa, and Europe, with targets including government agencies, universities, telecommunications providers, and financial institutions. In one case, attackers exploited the vulnerability to plant webshells for persistent access, followed by the deployment of a Go-based backdoor named Zingdoor and the ShadowPad Trojan, both of which facilitate remote command execution and data exfiltration. Storm-2603, a financially motivated group, was observed deploying ransomware such as LockBit Black and WarLock/X2anylock by exploiting the same set of SharePoint vulnerabilities, with major activity noted on July 18, 2025. Their operations targeted organizations in Latin America and the APAC region, using a combination of public-facing application exploits and legitimate tools like PsExec for lateral movement and execution. The attacks highlight the critical risk posed by unpatched SharePoint servers, as attackers were able to gain initial access, establish persistence, and deploy sophisticated malware and ransomware payloads. The campaigns demonstrate a high level of coordination and technical capability, leveraging zero-day exploits and advanced post-exploitation techniques. The breach of the National Nuclear Security Administration’s Kansas City National Security Campus further underscores the severity of these attacks, as foreign actors exploited the same SharePoint vulnerabilities to infiltrate a facility responsible for manufacturing critical components for US nuclear weapons. The incident at the Kansas City plant raised significant concerns about the security of federal IT and OT systems, especially those supporting national security functions. Despite the high-profile nature of the targets, responses from affected organizations and government agencies have been limited, with some declining to comment on the incidents. The rapid release of patches by Microsoft and the subsequent widespread exploitation illustrate the importance of timely vulnerability management and the need for robust security controls around public-facing applications. Security researchers have emphasized the necessity for organizations to validate their defenses against these specific TTPs and to continuously monitor for signs of compromise related to the ToolShell exploit. The attacks serve as a stark reminder of the persistent threat posed by state-linked actors and the critical importance of securing enterprise collaboration platforms like SharePoint.
Apr 9, 2026