Warlock ransomware exploited SharePoint ToolShell and BYOVD to breach enterprises
Sophos reported that the ransomware group Warlock Group, tracked as GOLD SALEM, has been compromising enterprise networks and deploying Warlock ransomware since March 2025, with 60 publicly named victims through mid-September across North America, Europe, and South America. The operation used a Tor-based leak site, activity on underground forums, and possibly relationships with initial access brokers to support intrusions and extortion.
Observed attacks began with exploitation of the SharePoint ToolShell exploit chain, followed by deployment of an ASPX web shell and a Golang-based WebSockets backdoor for persistence. Sophos said the actors stole credentials with Mimikatz, moved laterally with PsExec and Impacket, deployed ransomware through Group Policy Objects, and disabled endpoint protection using a bring-your-own-vulnerable-driver technique involving a vulnerable Baidu Antivirus driver; investigators also observed abuse of Velociraptor to establish a Visual Studio Code network tunnel. Microsoft tracks the activity as Storm-2603 and assesses it with moderate confidence as China-based, though Sophos said it could not independently confirm that attribution.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Sophos publishes technical analysis of GOLD SALEM/Warlock
Sophos Counter Threat Unit published research detailing GOLD SALEM's tradecraft, including ASPX web shells, a Golang WebSockets backdoor, BYOVD abuse of a vulnerable Baidu Antivirus driver, credential theft, lateral movement, GPO-based ransomware deployment, and abuse of Velociraptor to create a Visual Studio Code tunnel. The report also noted Microsoft tracks the actor as Storm-2603 and assesses it with moderate confidence as China-based, while Sophos said it could not confirm that attribution.
Warlock Group builds victim list across three continents
By mid-September 2025, Warlock Group had publicly listed 60 victims on its Tor-based leak site, with organizations in North America, Europe, and South America affected. The operation also used underground forum activity and possibly relationships with initial access brokers to support attacks.
Warlock Group begins ransomware intrusions
Sophos reported that the ransomware group it tracks as GOLD SALEM began compromising networks and deploying Warlock ransomware in March 2025. Observed activity included exploitation of the SharePoint ToolShell exploit chain for initial access.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Warlock Ransomware Expands SharePoint Intrusions With Stealthier Post-Exploitation
**Warlock** ransomware operators have continued exploiting unpatched **Microsoft SharePoint** servers, but recent intrusions show a more mature post-exploitation playbook focused on persistence, lateral movement, and evasion after initial access. Trend Micro reported the group is now using a **bring your own vulnerable driver (BYOVD)** technique involving the `Nsec` driver, alongside tools such as **TightVNC** and the **Yuze** reverse proxy, to move more quietly across victim networks and reduce the chance of detection. The activity has affected organizations in the technology, manufacturing, and government sectors, with observed victims in the U.S., Germany, and Russia. Incident details show the operators escalating to **full domain compromise** by abusing credentials, resetting the built-in Administrator account, and adding users to the **Domain Administrators** group. They used **PsExec**, **PowerShell Remoting**, MSI-based deployment of TightVNC, and RDP-enabling utilities to maintain remote access and spread laterally, while web shells, tunneling, and other remote-control mechanisms supported persistence and command-and-control. The reporting indicates Warlock has kept its SharePoint exploitation path consistent, but has significantly strengthened the actions that follow compromise, giving defenders a clearer set of behaviors to hunt for beyond the initial server exploit.
Mar 21, 2026
Warlock Ransomware Attacks US Firms via SharePoint Zero-Day Linked to Chinese CamoFei APT
Warlock ransomware was deployed against US firms through the exploitation of a zero-day vulnerability in Microsoft SharePoint, identified as CVE-2025-53770. The attacks have been attributed to the China-based CamoFei APT group, with evidence indicating that the threat actor leveraged the ToolShell exploit to gain initial access and deploy both Warlock and LockBit ransomware payloads. The campaign is notable for its use of DLL sideloading and a custom command and control framework referred to as `ak47c2`, as well as the bundling of multiple ransomware payloads in a single attack. Security researchers have traced the origins of the Warlock ransomware to activity dating back to 2019, suggesting that the group behind it is not new but has evolved its tactics. The operation stands out because, unlike most ransomware campaigns typically associated with Russian actors, Warlock is linked to Chinese threat groups, including Budworm (APT27), Sheathminer (APT31), and Storm-2603. The attacks highlight a growing trend of Chinese APTs engaging in financially motivated ransomware operations targeting Western organizations.
Mar 21, 2026
Widespread Exploitation of Microsoft SharePoint ToolShell Vulnerability by Chinese-Linked Threat Actors
Hackers believed to be associated with China have exploited the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint, targeting a broad range of organizations across multiple continents. The vulnerability, which affects on-premise SharePoint servers, was disclosed as an actively exploited zero-day on July 20, 2025, prompting Microsoft to release emergency patches the following day. The flaw is a bypass for previously reported vulnerabilities (CVE-2025-49706 and CVE-2025-49704) and allows remote, unauthenticated attackers to execute code and gain full access to the file system. Multiple Chinese threat groups, including Budworm/Linen Typhoon, Sheathminer/Violet Typhoon, and Storm-2603/Warlock ransomware, have been linked to these attacks. Symantec reported that the ToolShell exploit was used to compromise organizations in the Middle East, South America, the United States, Africa, and Europe, with targets including government agencies, universities, telecommunications providers, and financial institutions. In one case, attackers exploited the vulnerability to plant webshells for persistent access, followed by the deployment of a Go-based backdoor named Zingdoor and the ShadowPad Trojan, both of which facilitate remote command execution and data exfiltration. Storm-2603, a financially motivated group, was observed deploying ransomware such as LockBit Black and WarLock/X2anylock by exploiting the same set of SharePoint vulnerabilities, with major activity noted on July 18, 2025. Their operations targeted organizations in Latin America and the APAC region, using a combination of public-facing application exploits and legitimate tools like PsExec for lateral movement and execution. The attacks highlight the critical risk posed by unpatched SharePoint servers, as attackers were able to gain initial access, establish persistence, and deploy sophisticated malware and ransomware payloads. The campaigns demonstrate a high level of coordination and technical capability, leveraging zero-day exploits and advanced post-exploitation techniques. The breach of the National Nuclear Security Administration’s Kansas City National Security Campus further underscores the severity of these attacks, as foreign actors exploited the same SharePoint vulnerabilities to infiltrate a facility responsible for manufacturing critical components for US nuclear weapons. The incident at the Kansas City plant raised significant concerns about the security of federal IT and OT systems, especially those supporting national security functions. Despite the high-profile nature of the targets, responses from affected organizations and government agencies have been limited, with some declining to comment on the incidents. The rapid release of patches by Microsoft and the subsequent widespread exploitation illustrate the importance of timely vulnerability management and the need for robust security controls around public-facing applications. Security researchers have emphasized the necessity for organizations to validate their defenses against these specific TTPs and to continuously monitor for signs of compromise related to the ToolShell exploit. The attacks serve as a stark reminder of the persistent threat posed by state-linked actors and the critical importance of securing enterprise collaboration platforms like SharePoint.
Apr 9, 2026