Find notable cyber news and cases, enriched with sources, timelines, and signals.

Warlock ransomware post-exploitation tooling upgrades

Malware Activity
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

The Warlock ransomware group has upgraded its post-exploitation toolset with BYOVD, TightVNC, and Yuze, making intrusions harder to detect and interrupt. In an observed January intrusion, operators stayed inside a victim network for 15 days before launching ransomware. The group is also using NSecKrnl.sys to terminate security products at the kernel level, while reusing Velociraptor, Cloudflare tunnels, and disguised Rclone for resilient remote access and exfiltration. The activity strengthens persistence, lateral movement, and defense evasion after entry through unpatched Microsoft SharePoint servers.

Related Happenings

Microsoft releases RoguePlanet Defender security update for CVE-2026-50656

Security Patch Release
H score32 First: 17.06.2026 20:36 Last: 17.06.2026 20:36 Sources 1

About this happening: **Microsoft** has released a **security update** for **CVE-2026-50656**, remediating **RoguePlanet** in the **Microsoft Malware Protection Engine (mpengine.dll)**. The flaw is a *...

Latest development: 09.07.2026 11:48

Microsoft released security updates for CVE-2026-50656, remediating the RoguePlanet privilege-escalation flaw in Microsoft Malware Protection Engine (mpengine.dll) with version 1.1.26060.3008 and additional defense-in-depth updates. Microsoft said no customer action is required to install the update.

Major U.S. services company hit by ransomware attack linked to DragonForce

Incident
H score38 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...

Backdoor.Turn Microsoft Teams TURN relay malware activity

Malware Activity
H score29 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...

SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)

Vulnerability
H score46 First: 15.06.2026 23:06 Last: 15.06.2026 23:06 Sources 1

About this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...

UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity

Malware Activity
H score16 First: 05.06.2026 21:09 Last: 05.06.2026 21:09 Sources 1

About this happening: The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...

Timeline

  1. 17.03.2026 17:36 2 articles · 3mo ago

    Warlock expands SharePoint post-exploitation tooling

    Technical Analysis Update

    Warlock, also tracked as Water Manaul, continued exploiting unpatched Microsoft SharePoint servers and expanded its post-compromise toolkit with BYOVD abuse of the NSecKrnl.sys driver, TightVNC, Yuze, Velociraptor, a Cloudflare tunnel, and Rclone disguised as TrendSecurity.exe. An early January intrusion began at the SharePoint worker process (w3wp.exe) on a compromised server, and the operators remained inside the victim network for 15 days before executing ransomware.

    Show sources