Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Warlock ransomware post-exploitation tooling upgrades

Malware Activity
First reported
Last updated
Happening score
H score 52
1 unique sources, 1 articles

Summary

Hide ▲

The Warlock ransomware group has upgraded its post-exploitation toolset with BYOVD, TightVNC, and Yuze, making intrusions harder to detect and interrupt. In an observed January intrusion, operators stayed inside a victim network for 15 days before launching ransomware. The group is also using NSecKrnl.sys to terminate security products at the kernel level, while reusing Velociraptor, Cloudflare tunnels, and disguised Rclone for resilient remote access and exfiltration. The activity strengthens persistence, lateral movement, and defense evasion after entry through unpatched Microsoft SharePoint servers.

Related Happenings

Secret Blizzard Kazuar modular P2P botnet

Malware Activity
First: 16.05.2026 17:15 Last: 16.05.2026 17:15 Sources 1

About this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...

Open Happening

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

Snow malware suite deployment by UNC6692

Malware Activity
First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

About this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...

Open Happening

Trigona ransomware uploader_client.exe exfiltration activity

Malware Activity
First: 23.04.2026 21:59 Last: 23.04.2026 21:59 Sources 1

About this happening: Trigona ransomware is now using **uploader_client.exe** to steal data from compromised environments faster, making exfiltration more efficient and harder to spot. The tool was see...

Open Happening

External Microsoft Teams helpdesk-impersonation campaign

Campaign
First: 20.04.2026 18:11 Last: 20.04.2026 18:11 Sources 1

About this happening: A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...

Open Happening

Timeline

  1. 17.03.2026 17:36 2 articles · 2mo ago

    Warlock expands SharePoint post-exploitation tooling

    Technical Analysis Update

    Warlock, also tracked as Water Manaul, continued exploiting unpatched Microsoft SharePoint servers and expanded its post-compromise toolkit with BYOVD abuse of the NSecKrnl.sys driver, TightVNC, Yuze, Velociraptor, a Cloudflare tunnel, and Rclone disguised as TrendSecurity.exe. An early January intrusion began at the SharePoint worker process (w3wp.exe) on a compromised server, and the operators remained inside the victim network for 15 days before executing ransomware.

    Show sources
    Open in new tab