Warlock Ransomware Group Enhances Post-Exploitation Techniques
Warlock Ransomware Group Enhances Post-Exploitation Techniques 🚀
The Warlock ransomware group continues to exploit unpatched Microsoft SharePoint servers with a new focus on stealthier, more resilient post-exploitation activity, thanks to its use of a new bring your own vulnerable driver (BYOVD) technique and other strategic tools. Warlock, also tracked as Water Manaul, has maintained consistency in its initial access method in attacks during the second half of last year, primarily targeting the technology, manufacturing, and government sectors in the US, Germany, and Russia, according to researchers at Trend Micro.
In activity observed earlier this year, the group pivoted to expanding its malicious activities once inside a targeted environment. Trend Micro threat analysts noted that the Warlock ransomware group has enhanced its attack chain, including improved methods for persistence, lateral movement, and evasion. These methods include exploiting the Nsec driver with a new BYOVD technique as well as using the remote-access tool TightVNC and the reverse-proxy tool Yuze to conceal its malicious activity as it spreads across networks.
These tactics are in addition to previous post-exploit tools and techniques used by the group, which included the Velociraptor digital forensics and incident response (DFIR) tool as its primary command-and-control (C2) framework, a single Cloudflare tunnel for remote access, and Rclone disguised as TrendSecurity.exe for exfiltration. The researchers noted that the expanded toolset “gives Warlock multiple redundant [C2] channels that blend with legitimate network traffic, demonstrating deliberate investment in operational resilience and detection evasion.”
Warlock hasn’t been around very long on the ransomware scene but seems to be evolving rapidly in a short time frame. The group made its public debut last June on the Russian cybercrime forum RAMP. Trend Micro researchers observed a Warlock attack in early January during which the threat actors spent 15 days inside a victim’s network before executing the ransomware. The investigation tracked the earliest observed malicious activity of Warlock on the network to the SharePoint worker process (w3wp.exe) on the compromised server, suggesting that the group is continuing to exploit unpatched Microsoft SharePoint vulnerabilities on Internet-facing servers as its primary access point.
Indeed, last year Trend Micro observed Warlock exploiting SharePoint vulnerabilities, including a set of flaws affecting on-premises servers — spoofing flaw CVE-2025-49706, remote code execution bug CVE-2025-49704, and related vulnerabilities CVE-2025-53770 and CVE-2025-53771. While Warlock’s post-compromise tradecraft is evolving, its initial access approach remains unchanged, reinforcing the ongoing risk posed when organizations delay patching of public-facing enterprise applications.
In the Warlock attack Trend Micro detected in January, the threat actors began to deviate from techniques seen in previous attacks to improve persistence, lateral movement, and defense evasion. Key changes observed include silently deploying TightVNC as a Windows service via PsExec for persistent GUI-based remote access.