Warlock ransomware SharePoint credential-dumping and deployment activity
Malware Activity
Summary
Hide ▲
Show ▼
The Warlock ransomware operation is compromising exposed on-premises SharePoint servers, creating risk of credential theft, lateral movement, and disruptive ransomware deployment inside enterprise networks. The intrusion chain uses DLL sideloading, Mimikatz, and Cloudflare tunneling to establish access and evade detection. It then expands across affected systems with SMB transfer and malicious scripts before dropping the payload.
Related Happenings
Storm-1175 high-velocity exploit campaign
Campaign
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Google Drive ransomware detection reaches general availability and turns on by default
Security Tool/Service
First: 01.04.2026 09:35
Last: 01.04.2026 09:35
Sources 1
About this happening:
**Google Drive**'s **AI-powered ransomware detection** has reached **general availability** and is now **enabled by default** for paying users, expanding automatic protection for...
Google Drive ransomware detection reaches general availability and turns on by default
Security Tool/ServiceAbout this happening: **Google Drive**'s **AI-powered ransomware detection** has reached **general availability** and is now **enabled by default** for paying users, expanding automatic protection for...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
Vulnerability
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
About this happening:
The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited**, enabling arbitrary file writes and malicious payload placement for persistence. Attackers abu...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
VulnerabilityAbout this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited**, enabling arbitrary file writes and malicious payload placement for persistence. Attackers abu...
NANOREMOTE Windows backdoor with Google Drive API C2
Malware Activity
First: 11.12.2025 15:16
Last: 11.12.2025 15:16
Sources 1
About this happening:
**NANOREMOTE** is a newly disclosed **Windows backdoor** that uses the **Google Drive API** for command-and-control, giving operators a difficult-to-detect channel for **data thef...
NANOREMOTE Windows backdoor with Google Drive API C2
Malware ActivityAbout this happening: **NANOREMOTE** is a newly disclosed **Windows backdoor** that uses the **Google Drive API** for command-and-control, giving operators a difficult-to-detect channel for **data thef...
Storm-0249 SentinelOne EDR abuse for stealthy malware execution
Malware Activity
First: 09.12.2025 17:24
Last: 09.12.2025 17:24
Sources 1
About this happening:
**Storm-0249** is abusing **SentinelOne EDR** components and trusted **Windows utilities** to load malware, establish **C2**, and maintain persistence, increasing the risk that th...
Storm-0249 SentinelOne EDR abuse for stealthy malware execution
Malware ActivityAbout this happening: **Storm-0249** is abusing **SentinelOne EDR** components and trusted **Windows utilities** to load malware, establish **C2**, and maintain persistence, increasing the risk that th...
Timeline
-
21.08.2025 00:04 1 articles · 9mo ago
Warlock ransomware SharePoint credential-dumping and deployment activity
Initial DisclosureAttackers first exploit exposed **SharePoint** authentication and deserialization flaws to gain code execution on vulnerable servers. They then establish persistence by creating a **new GPO**, enabling the guest account, and assigning local administrator rights before loading follow-on tools.
Show sources
- How Warlock Ransomware Targets Vulnerable SharePoint Servers — www.darkreading.com — 21.08.2025 00:04