THREAT ACTOR

Warlock

7
THREAT LEVEL
EMERGENCE DATE
Jun 2025
CATEGORY
Selective Affiliate Model
AFFILIATIONS

Storm-2603 (Microsoft, moderate confidence China-based); GOLD SALEM (Sophos); CL-CRI-1040 (Palo Alto Networks). Final LockBit affiliate (username "wlteaml") before May 2025 breach.

DEscription

Emerging in June 2025 with the provocative tagline "if you want a Lamborghini, please call me," the operation evolved from final LockBit affiliate to independent RaaS within two months. Distinguished by zero-day SharePoint exploitation alongside Chinese APT groups, the threat achieved at least 60 victims across 40 countries by September. Attributed to Storm-2603, operations target government agencies and critical infrastructure through closed affiliate network.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Selective Ransomware-as-a-Service

Warlock operates through closed, trust-based affiliate recruitment requiring invitation-only access via RAMP forum. Storm-2603 serves as primary affiliate deploying multiple ransomware families in coordinated attacks. Revenue split follows standard 70-80% affiliate allocation. The group actively recruits Initial Access Brokers and solicits exploits for Veeam, ESXi, and SharePoint alongside EDR-killing tools. Payment processing runs through Bitcoin wallets with Tox messaging for negotiations.

Current Status: Highly active as of October 2025 with no law enforcement disruption and continued technique evolution.

Threat Level:
7

Origins and Methodology

Early access to ToolShell zero-days before public disclosure, shared only with Chinese APT groups Linen Typhoon and Violet Typhoon, distinguishes operations from typical ransomware affiliates. Development under C:\Users\Administrator\Desktop\work\tools\ai\ak47\ framework with China Standard Time compile timestamps points to Chinese operational schedules.

The multi-ransomware strategy was built in from day one, tapping into coordinated Warlock/LockBit 3.0/Babuk deployment for attribution confusion. Program Database paths show rapid progression from writenull prototypes to full encryption modules within days.

What is the Evolution of Warlock Ransomware?
0.1
Formation

Infrastructure establishment began March 2025 with AK47 C2 framework development. First prototype lacked encryption code, implementing only ransom note deployment. Coordinated testing of LockBit 3.0 and Warlock occurred using identical victim identifiers. Production MSI packages appeared with rapid 48-hour shift from LockBit-only to combined deployment. Registration as LockBit affiliate completed under username "wlteaml."

0.2
EVOLUTION

Initial months saw parallel experimental and production development with systematic testing. LockBit breach in May 2025 exposed "wlteaml" as final registered affiliate. Public launch occurred June 10 on RAMP forum, with first Tor leak site launching and disconnecting same day.

Around mid-2025, operations escalated through ToolShell weaponization starting July 18 as zero-days, compromising 400+ SharePoint servers across 148 organizations in weeks. Microsoft attribution to Storm-2603 followed July 22-23, with CISA adding all vulnerabilities to KEV catalog. New leak site relaunched late July, while Babuk addition July 21 expanded arsenal to three families.

Current operations since late 2025 show sustained activity with 60+ victims by mid-September. September 8 Russian victim broke typical CIS avoidance pattern. Ongoing evolution includes fileless PowerShell encryptors, expanded BYOVD techniques, and active affiliate recruitment.

0.3
Lineage/Connections

Technical lineage traces to LockBit 3.0 through leaked builder from September 2022 and registration as final affiliate. Storm-2603 dual deployment of both families confirms connection. Shared DLL side-loading, AES-256/RSA-2048 encryption, and overlapping tradecraft validate relationship.

Circumstantial connections to Black Basta include claims for attacks previously attributed to that group. Black Basta ceasing publications early 2025 coincided with emergence, suggesting potential affiliate migration.

Babuk deployment shows multi-kit access. Infrastructure reuses identical Tox IDs, email addresses, and misspelled domains across all families.

Which Unique Techniques Does Warlock Use?

Multi-vector methodology combines zero-day exploitation for initial access with living-off-the-land post-compromise techniques for rapid enterprise-wide deployment.

Key Features & Technical Details

Technical architecture combines hybrid encryption with MSI-based deployment featuring DLL side-loading and coordinated multi-ransomware capabilities.

TECHNIQUE

DETAILS

Infection Vectors

SharePoint zero-days (ToolShell: CVE-2025-53770, CVE-2025-53771, CVE-2025-49704, CVE-2025-49706); VPN brute-forcing; purchased credentials from Initial Access Brokers; outdated Veeam exploitation (CVE-2023-27532)

Target Selection

Opportunistic targeting of internet-facing SharePoint servers with approximately 235,000 vulnerable globally; focuses on large commercial entities and government agencies ($2.4 million average government demands, $10-60 million enterprise range); spans 41+ countries concentrated in North America and Europe

Operational Complexity

Professional development with 48-hour iteration cycles; zero-day exploitation alongside Chinese APT groups; BYOVD with vulnerable Baidu driver; multi-stage chains from web shell deployment through ASP.NET MachineKey extraction, GPO mass distribution, and RClone exfiltration to Proton Drive

Activities

Operations launched June 2025 claiming 16 attacks in first month, reaching 60+ victims by September. Extraordinary scaling saw 400+ SharePoint servers across 148 organizations compromised within weeks. Sustained activity continues through October with no slowdown.

Geographic distribution spans 40+ countries with heavy concentration in United States, Canada, United Kingdom, Portugal, Croatia, Turkey, and France. Avoided China and Russia until recent Russian victim.

Primary targeting focuses on government entities (nearly half of initial attacks), technology companies, and telecommunications providers. Secondary sectors include financial services, manufacturing, agriculture/food, and professional services.

HAL Most Recent Attacks

No items found.

Modus Operandi

Multi-stage attacks draw on zero-day exploitation, web shell deployment, credential harvesting, and GPO abuse for double extortion.

Details

Exploit Public-Facing Application (T1190) through ToolShell chain targeting SharePoint zero-days: CVE-2025-53770 (CVSS 9.8 deserialization RCE), CVE-2025-53771 (path traversal), CVE-2025-49704 (authenticated RCE), and CVE-2025-49706 (HTTP Referer spoofing).

Valid Accounts (T1078) through purchased credentials, web shell harvesting, and VPN brute-forcing. Veeam exploitation via CVE-2023-27532.

Details

Domain Trust Discovery (T1482) via nltest /domain_trusts. System Information Discovery (T1082) collecting OS details and patch levels. Process Discovery (T1057) through CreateToolhelp32SnapshotAPI calls. Account Discovery (T1087) enumerating domain admins. Network Share Discovery (T1135) mapping administrative shares.

Details

ASP.NET web shells (spinstall0.aspx, spinstall1.aspx, spinstall2.aspx) hosted in w3wp.exe. AK47C2 backdoor (dnsclient.exe). Velociraptor DFIR tool abuse beginning August 2025 exploiting CVE-2025-6264 for Visual Studio Code tunnels.

Details

Virtualization/Sandbox Evasion (T1497) through IsDebuggerPresent checks. Impair Defenses (T1562.001) deploying BYOVD with googleApiUtil64.sys (Baidu driver CVE-2024-51324); KILLAV tool (vmtools.exe); registry modifications disabling Defender. Reflective Code Loading (T1620). Masquerading (T1036) renaming tools.

Indicator Removal including Clear Windows Event Logs (T1070.001) and File Deletion (T1070.004) with stripped timestamps.

Details

OS Credential Dumping from LSASS Memory (T1003.001) via Mimikatz. Security Account Manager (T1003.002) dumping SAM and SECURITY hives using CrackMapExec or SecretsDump. Credentials from Password Stores (T1555) extracting ASP.NET MachineKey from SharePoint for persistent access through valid tokens.

Details

Application Layer Protocol using Web Protocols (T1071.001) through Cloudflare tunnels and WebSockets servers. DNS (T1071.004) via AK47C2 framework. Multi-hop Proxy (T1090.003) leveraging Tor network.

Details

Remote Services via SMB/Windows Admin Shares (T1021.002). Lateral Tool Transfer (T1570) using PsExec and Impacket. RDP (T1021.001) enablement through registry modification with NLA disabled.

Details

Exfiltration Over Alternative Protocol (T1048.003) deploying RClone disguised as TrendSecurity.exe for transfer to Proton Drive. Multi-threaded transfers target files under 3000MB. Exfiltration Over C2 Channel (T1041) before encryption.

Details

Server Software Component via Web Shell (T1505.003) in IISw3wp.exe. Scheduled Task/Job (T1053.005) via GPO distribution. Hijack Execution Flow through DLL Side-Loading (T1574.002) abusing clink_x86.exe, 7z.exe, and MpCmdRun.exe.

Details

Service Stop (T1489) terminating VSS, SQL, backup services (Veeam), and security products (Sophos). Inhibit System Recovery (T1490) through shadow copy deletion. Internal Defacement (T1491.001) with ransom notes. Multi-day outages affecting 40 countries documented.

Details

Data Encrypted for Impact (T1486) using AES-256 with RSA-2048, appending .x2anylock while avoiding system-critical files. Multi-ransomware deployment includes LockBit Black and Babuk with .babyk extension. Fileless PowerShell encryptors using random AES keys in current operations.

Details

Ransom notes direct victims to Tor portal. 12-14 day countdown before leak site publication.

Details

Removal of tools with event log deletion. Timestamp manipulation includes stripped timestamps, falsified compilation dates (LockBit backdated to September 2022, Babuk to March 2021), and corrupted expiration mechanisms.

Indicators of Compromise (IOCs)

Comprehensive indicators span ToolShell exploitation signatures, malicious MSI packages with DLL side-loading, web shell artifacts, and C2 infrastructure.

FEATURE

DETAILS

Encryption Method

Hybrid AES-256 in CBC mode with RSA-2048 key encryption achieving high entropy (7.99+); limited encryption maximizes speed while avoiding system-critical files

File Extension

.x2anylock for primary ransomware (earlier .xlockxlock); standard LockBit extensions for LockBit 3.0; .babyk for Babuk variant

Ransom Note

How to decrypt my data.txt or How to decrypt my data.log with Tox IDs and dark web links; 12-14 day countdown timers

Double Extortion

RClone disguised as TrendSecurity.exe exfiltrates to Proton Drive; targets specific file types with 3000MB max; confirmed volumes include 1 million documents and 165GB data; Tor leak site operational late July 2025

Communication Channels

C2 at 65.38.121.198 with typosquatting update.updatemicfosoft[.]com; Ngrok tunnels; WebSockets-based Golang servers; Tor portal and leak site

Deployment Speed

Enterprise-wide via GPO scheduled task creation; 25-second staged delays; multi-ransomware packages deploy Warlock via 7z.exe simultaneously with LockBit 3.0 via clink_x86.exe

Payment Method

Bitcoin with Tox messaging; ProtonMail addresses for communications

Operational Model

Selective RaaS with closed recruitment via RAMP forum; affiliates handle initial access; core team runs binaries, negotiation tools, and leak site

INDICATOR

DETAILS

File Hashes

SHA256: 4147a1c7084357463b35071eab6f4525a94476b40336ebbf8a4e54eb9b51917f (writenull)
SHA256: 79bef5da8af21f97e8d4e609389c28e0646ef81a6944e329330c716e19f33c73 (encrypt experimental)
SHA256: 7c31d43b30bda3a891f0332ee5b1cf610cdc9ecf772cea9b073ac905d886990d (7z.dll)
SHA256: 0ce370160edde92094fe98eedc7d35d6f692c87613816f2dca601355f3ba6e90 (LockBit 3.0)
SHA256: 3b013d5aec75bf8aab2423d0f56605c3860a8fbd4f343089a9a8813b15ecc550 (bbb.msi)
SHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 (spinstall0.aspx)
SHA1: 0488509b4dbc16dcb6d5f531e3c8b9a59b69e522 (KILLAV)

IP Addresses

65.38.121.198 (primary C2)
131.226.2.6 (post-exploitation C2)
134.199.202.205, 104.238.159.149, 188.130.206.168 (exploitation)

Domains/URLs

update.updatemicfosoft[.]com (typosquatting C2)
microsfot[.]org (alternate)
c34718cbb4c6.ngrok-free[.]app/file.ps1 (Ngrok)
hxxp://zfytizegsze6uiswodhbaalyy5rawaytv2nzyzdkt3susbewviqqh7yd[.]onion/touchus.html (Tor)

File Paths

C:\PROGRA1\COMMON1\MICROS1\WEBSER1\15\TEMPLATE\LAYOUTS\spinstall0.aspx (SharePoint 2016)
C:\PROGRA1\COMMON1\MICROS1\WEBSER1\16\TEMPLATE\LAYOUTS\spinstall0.aspx (SharePoint 2019)
C:\users\public\, C:\ProgramData\ (staging)

File Extensions

.x2anylock (primary)
.xlockxlock (earlier)
.babyk (Babuk)
Standard LockBit extensions

Registry Keys

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections (set to 0)
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication (set to 0)

Process Names

w3wp.exe spawning PowerShell
7z.exe, clink_x86.exe (DLL side-loading)
vmtools.exe (AV termination)
macfee_agent.exe, TrendSecurity.exe (disguised)

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

Microsoft SharePoint Server Remote Code Execution

CVE-2025-53770

9.8

Deserialization enabling unauthenticated RCE; exploited as zero-day from July 18, 2025; added to CISA KEV July 20; primary ToolShell vector

Microsoft SharePoint Server Code Injection

CVE-2025-53771

8.1

Path traversal and code injection; chains with CVE-2025-53770 for complete compromise; added to CISA KEV July 22

Microsoft SharePoint Server Remote Code Execution

CVE-2025-49704

8.8

Code injection (CWE-94); authenticated attackers with Site Member permissions execute arbitrary code; added to CISA KEV July 22

Microsoft SharePoint Server Spoofing

CVE-2025-49706

6.3

Authentication bypass via HTTP Referer spoofing to ToolPane endpoint; extremely dangerous when chained; added to CISA KEV July 22

Veeam Backup & Replication Authentication Bypass

CVE-2023-27532

7.5

Authentication bypass in versions 9.5 and below

Baidu Antivirus Driver Privilege Escalation

CVE-2024-51324

7.8

Process termination via vulnerable driver; deployed in BYOVD for EDR evasion

Additional Attack Vectors: Internet-wide Masscan for exposed SharePoint servers; VPN brute-forcing; purchased credentials from Initial Access Brokers; GPO abuse for enterprise deployment