Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack
Summary:
Trend Micro's analysis of a Warlock-related incident from early January 2026 revealed that operators maintained undetected access inside a victim's network for 15 days before deploying ransomware. The research, published March 16, 2026, documents a significantly evolved attack chain from the group, tracked internally as Water Manaul.
Warlock's updated toolset now includes TightVNC and Yuze, alongside a persistent Bring Your Own Vulnerable Driver (BYOVD) technique that exploits the NSec driver to mask the group's spread across networks.
Initial access continues to rely on Microsoft SharePoint vulnerabilities, with operators deliberately timing intrusions to coincide with holiday periods when staffing and monitoring capacity are reduced.
Warlock is assessed to be a customized derivative of the leaked LockBit 3.0 builder, with links to the Project AK47 toolkit associated with Storm-2603, a Chinese-nexus threat actor combining espionage and financially motivated operations. Based on the group's leak site data from the second half of 2025, the most targeted industries were technology, manufacturing, and government, with the United States, Germany, and Russia as the most frequently targeted countries.
Security Officer Comments:
Warlock's reliance on vulnerable drivers to disable security controls represents a significant escalation in defense evasion capability, requiring organizations to move beyond basic endpoint protection and enforce strict driver governance and real-time monitoring of kernel-level activities.
The group's extended dwell time, 15 days in the observed incident, demonstrates a deliberate methodology focused on thorough network reconnaissance and lateral movement before encryption, maximizing operational impact and the probability of successful extortion.
The attack chain incorporates Group Policy abuse, credential theft, and lateral movement using built-in Windows tools and custom malware, culminating in file encryption with the .x2anylock extension and data exfiltration via RClone, enabling both ransomware and double-extortion pressure.
The group's hybrid profile, merging espionage-grade stealth with organized ransomware operations, represents the growing convergence between state-sponsored and financially motivated threat actors, complicating attribution and response.
Suggested Corrections:
Organizations should prioritize patching internet-facing on-premises Microsoft SharePoint servers against all known CVEs exploited by this group, including:
Network defenders should monitor for anomalous use of remote administration tools such as TightVNC and alert on unauthorized Group Policy Object creation, guest account activation, and privilege escalation patterns consistent with Warlock's post-exploitation playbook.
Given the group's documented practice of timing intrusions to coincide with reduced staffing windows, organizations should ensure 24/7 monitoring coverage is maintained during holidays and scheduled maintenance periods.
Offline, tested backups remain essential for recovery, and threat hunting queries aligned to Warlock IOCs should be deployed across SIEM and EDR platforms where available.
Link(s):
https://www.trendmicro.com/en_us/research/26/c/dissecting-a-warlock-attack.html
Trend Micro's analysis of a Warlock-related incident from early January 2026 revealed that operators maintained undetected access inside a victim's network for 15 days before deploying ransomware. The research, published March 16, 2026, documents a significantly evolved attack chain from the group, tracked internally as Water Manaul.
Warlock's updated toolset now includes TightVNC and Yuze, alongside a persistent Bring Your Own Vulnerable Driver (BYOVD) technique that exploits the NSec driver to mask the group's spread across networks.
Initial access continues to rely on Microsoft SharePoint vulnerabilities, with operators deliberately timing intrusions to coincide with holiday periods when staffing and monitoring capacity are reduced.
Warlock is assessed to be a customized derivative of the leaked LockBit 3.0 builder, with links to the Project AK47 toolkit associated with Storm-2603, a Chinese-nexus threat actor combining espionage and financially motivated operations. Based on the group's leak site data from the second half of 2025, the most targeted industries were technology, manufacturing, and government, with the United States, Germany, and Russia as the most frequently targeted countries.
Security Officer Comments:
Warlock's reliance on vulnerable drivers to disable security controls represents a significant escalation in defense evasion capability, requiring organizations to move beyond basic endpoint protection and enforce strict driver governance and real-time monitoring of kernel-level activities.
The group's extended dwell time, 15 days in the observed incident, demonstrates a deliberate methodology focused on thorough network reconnaissance and lateral movement before encryption, maximizing operational impact and the probability of successful extortion.
The attack chain incorporates Group Policy abuse, credential theft, and lateral movement using built-in Windows tools and custom malware, culminating in file encryption with the .x2anylock extension and data exfiltration via RClone, enabling both ransomware and double-extortion pressure.
The group's hybrid profile, merging espionage-grade stealth with organized ransomware operations, represents the growing convergence between state-sponsored and financially motivated threat actors, complicating attribution and response.
Suggested Corrections:
Organizations should prioritize patching internet-facing on-premises Microsoft SharePoint servers against all known CVEs exploited by this group, including:
- CVE-2025-49706
- CVE-2025-49704
- CVE-2025-53770
- CVE-2025-53771
Network defenders should monitor for anomalous use of remote administration tools such as TightVNC and alert on unauthorized Group Policy Object creation, guest account activation, and privilege escalation patterns consistent with Warlock's post-exploitation playbook.
Given the group's documented practice of timing intrusions to coincide with reduced staffing windows, organizations should ensure 24/7 monitoring coverage is maintained during holidays and scheduled maintenance periods.
Offline, tested backups remain essential for recovery, and threat hunting queries aligned to Warlock IOCs should be deployed across SIEM and EDR platforms where available.
Link(s):
https://www.trendmicro.com/en_us/research/26/c/dissecting-a-warlock-attack.html