Warlock Ransomware Exploits SharePoint Vulnerabilities
Summary
Hide â˛
Show âŧ
Warlock ransomware targets vulnerable on-premises Microsoft SharePoint servers, exploiting recent vulnerabilities to gain access and escalate privileges. The ransomware, believed to be a derivative of LockBit 3.0, uses DLL sideloading and other tactics to evade detection and spread within compromised networks. The campaign includes extensive reconnaissance, credential dumping, and lateral movement, ultimately deploying ransomware and leaving ransom notes in affected directories. The threat actor behind Warlock is suspected to be Storm-2603, a China-backed group known for targeting SharePoint vulnerabilities. The ransomware has been observed targeting government agencies and private-sector organizations across multiple countries. Microsoft has released patches for the affected SharePoint versions, and organizations are advised to apply these updates immediately to mitigate the risk.
Timeline
-
21.08.2025 00:04 đ° 1 articles
Warlock Ransomware Exploits SharePoint Vulnerabilities
Warlock ransomware, a derivative of the leaked LockBit 3.0 builder, targets vulnerable on-premises Microsoft SharePoint servers. The ransomware exploits recent vulnerabilities to gain access and escalate privileges, using DLL sideloading and other tactics to evade detection. The campaign includes extensive reconnaissance, credential dumping, and lateral movement, ultimately deploying ransomware and leaving ransom notes in affected directories. The threat actor is suspected to be Storm-2603, a China-backed group known for targeting SharePoint vulnerabilities. Microsoft has released patches for the affected SharePoint versions, and organizations are advised to apply these updates immediately.
Show sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers â www.darkreading.com â 21.08.2025 00:04
Information Snippets
-
Warlock ransomware exploits vulnerabilities in on-premises Microsoft SharePoint servers.
First reported: 21.08.2025 00:04đ° 1 source, 1 articleShow sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers â www.darkreading.com â 21.08.2025 00:04
-
The vulnerabilities include CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771.
First reported: 21.08.2025 00:04đ° 1 source, 1 articleShow sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers â www.darkreading.com â 21.08.2025 00:04
-
Warlock is believed to be a derivative of the leaked LockBit 3.0 builder.
First reported: 21.08.2025 00:04đ° 1 source, 1 articleShow sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers â www.darkreading.com â 21.08.2025 00:04
-
The threat actor uses DLL sideloading via legitimate utilities like 7Zip to gain initial access.
First reported: 21.08.2025 00:04đ° 1 source, 1 articleShow sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers â www.darkreading.com â 21.08.2025 00:04
-
The ransomware escalates privileges by creating a new Group Policy Object (GPO) and activating the built-in guest account.
First reported: 21.08.2025 00:04đ° 1 source, 1 articleShow sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers â www.darkreading.com â 21.08.2025 00:04
-
Warlock uses Windows Command Shell to execute malicious scripts and establish network connections.
First reported: 21.08.2025 00:04đ° 1 source, 1 articleShow sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers â www.darkreading.com â 21.08.2025 00:04
-
The ransomware terminates security software processes, particularly those associated with Trend Micro.
First reported: 21.08.2025 00:04đ° 1 source, 1 articleShow sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers â www.darkreading.com â 21.08.2025 00:04
-
Warlock sets up a command-and-control channel using Cloudflare's tunneling service.
First reported: 21.08.2025 00:04đ° 1 source, 1 articleShow sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers â www.darkreading.com â 21.08.2025 00:04
-
The ransomware conducts extensive reconnaissance, including mapping domain relationships and collecting system information.
First reported: 21.08.2025 00:04đ° 1 source, 1 articleShow sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers â www.darkreading.com â 21.08.2025 00:04
-
Warlock uses Mimikatz and other tools for credential dumping and lateral movement.
First reported: 21.08.2025 00:04đ° 1 source, 1 articleShow sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers â www.darkreading.com â 21.08.2025 00:04
-
The threat actor is suspected to be Storm-2603, a China-backed group.
First reported: 21.08.2025 00:04đ° 1 source, 1 articleShow sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers â www.darkreading.com â 21.08.2025 00:04
-
Microsoft has released patches for the affected SharePoint versions.
First reported: 21.08.2025 00:04đ° 1 source, 1 articleShow sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers â www.darkreading.com â 21.08.2025 00:04
Similar Happenings
HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344
A new ransomware strain, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware and can bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and installs a malicious EFI application on the EFI System Partition. The ransomware has two main components: a bootkit and an installer. The bootkit handles encryption and decryption processes, displaying fake CHKDSK messages to deceive victims. The ransom note demands $1,000 in Bitcoin, with a wallet receiving $183.32 between February and May 2025. HybridPetya exploits a remote code execution vulnerability in the Howyar Reloader UEFI application, allowing it to bypass Secure Boot. The variant uses a specially crafted file named 'cloak.dat' to load the bootkit binary. Microsoft revoked the vulnerable binary in January 2025. ESET's telemetry data indicates no evidence of HybridPetya being used in the wild, suggesting it may be a proof-of-concept (PoC). The ransomware incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain. It drops several files into the EFI System Partition, including configuration, validation, and encryption progress tracking files. The ransom note provides a 32-character key for decryption and system restoration upon payment. Indicators of compromise for HybridPetya are available on a GitHub repository. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday updates.
TAG-150 Expands Operations with CastleRAT in Python and C
The threat actor TAG-150, known for CastleLoader malware, has developed a new remote access trojan named CastleRAT. CastleRAT is available in both Python and C variants, and it is used to collect system information, execute commands, and download additional payloads. CastleRAT's development began in March 2025, and it is part of a multi-tiered infrastructure used by TAG-150. The malware is distributed through phishing attacks, fraudulent GitHub repositories, and other methods. The Python variant, also known as PyNightshade, and the C variant have different capabilities. The C variant includes keylogging, screenshot capture, file upload/download, and cryptocurrency clipper functionality. CastleRAT uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various secondary payloads, including remote access trojans, information stealers, and other loaders. TAG-150's operations have targeted critical infrastructure, including U.S. government agencies, and have been linked to a Play Ransomware attack against a French organization. The group's MaaS operation is likely promoted within closed circles, indicating a sophisticated and connected user base. TAG-150 is likely to develop and release additional malware in the near term and expand its distribution efforts.
AI-Driven Ransomware Strain PromptLock Discovered
A new ransomware strain named PromptLock has been identified by ESET researchers. This strain leverages AI to generate malicious scripts in real-time, making it more difficult to detect and defend against. PromptLock is currently in development and has not been observed in active attacks. It can exfiltrate files, encrypt data, and is being upgraded to destroy files. The ransomware uses the gpt-oss:20b model from OpenAI via the Ollama API and is written in Go, targeting Windows, Linux, and macOS systems. The Bitcoin address associated with PromptLock appears to belong to Satoshi Nakamoto. PromptLock uses Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption. The ransomware can generate custom ransom notes based on the type of infected machine and uses the SPECK 128-bit encryption algorithm to lock files. PromptLock is assessed to be a proof-of-concept (PoC) rather than a fully operational malware deployed in the wild.
HOOK Android Trojan Expands Capabilities with Ransomware Overlays and 107 Remote Commands
A new variant of the HOOK Android banking trojan has been discovered, featuring ransomware-style overlay screens to extort victims. This variant supports 107 remote commands, including new capabilities for capturing user gestures, stealing cryptocurrency wallet information, and displaying fake NFC overlays. The trojan is distributed via phishing websites, bogus GitHub repositories, and malicious APK files, posing a significant threat to financial institutions and users. The HOOK trojan is believed to be an offshoot of the ERMAC banking trojan, which had its source code leaked publicly. The trojan can display fake overlays on financial apps to steal credentials and abuse Android accessibility services for fraud and remote control. The latest version of HOOK includes commands for ransomware overlays, capturing user gestures, and stealing sensitive information like credit card details and lockscreen PINs. It also features transparent overlays to capture user gestures and screen-streaming sessions for real-time monitoring.
Global Phishing Campaign Installs RATs via Malicious Scripts
A rapidly spreading phishing campaign targets Windows users worldwide, stealing credentials and deploying remote access trojans (RATs) via malicious scripts. The campaign is particularly impacting organizations in manufacturing, technology, healthcare, construction, and retail/hospitality sectors. The attack begins with socially engineered emails leading to personalized phishing pages, which deliver JavaScript files acting as droppers for UpCrypter malware. This malware deploys various RATs, including PureHVNC, DCRat, and Babylon RAT, providing long-term access to the compromised networks. The campaign has shown rapid growth, with detection counts doubling in just two weeks. The attack chain involves obfuscated scripts, personalized phishing pages, and sophisticated evasion techniques to avoid detection. The use of ready-made tools and phishing kits from underground sites contributes to the campaign's complexity and spread. Additionally, attackers are exploiting legitimate services like Google Classroom, Microsoft 365, and OneNote for phishing campaigns, and using client-side evasion techniques to bypass defenses. Defenders are advised to implement multi-layered defenses, including strong email filters, employee training, and up-to-date security tools.