Warlock ransomware post-exploitation tooling upgrades
Malware Activity
Summary
Hide ▲
Show ▼
The Warlock ransomware group has upgraded its post-exploitation toolset with BYOVD, TightVNC, and Yuze, making intrusions harder to detect and interrupt. In an observed January intrusion, operators stayed inside a victim network for 15 days before launching ransomware. The group is also using NSecKrnl.sys to terminate security products at the kernel level, while reusing Velociraptor, Cloudflare tunnels, and disguised Rclone for resilient remote access and exfiltration. The activity strengthens persistence, lateral movement, and defense evasion after entry through unpatched Microsoft SharePoint servers.
Related Happenings
Microsoft releases RoguePlanet Defender security update for CVE-2026-50656
Security Patch Release
H score32
First: 17.06.2026 20:36
Last: 17.06.2026 20:36
Sources 1
About this happening:
**Microsoft** has released a **security update** for **CVE-2026-50656**, remediating **RoguePlanet** in the **Microsoft Malware Protection Engine (mpengine.dll)**. The flaw is a *...
Microsoft releases RoguePlanet Defender security update for CVE-2026-50656
Security Patch ReleaseAbout this happening: **Microsoft** has released a **security update** for **CVE-2026-50656**, remediating **RoguePlanet** in the **Microsoft Malware Protection Engine (mpengine.dll)**. The flaw is a *...
Latest development: 09.07.2026 11:48
Microsoft released security updates for CVE-2026-50656, remediating the RoguePlanet privilege-escalation flaw in Microsoft Malware Protection Engine (mpengine.dll) with version 1.1.26060.3008 and additional defense-in-depth updates. Microsoft said no customer action is required to install the update.
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware Activity
H score29
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
**Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware ActivityAbout this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
Vulnerability
H score46
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
About this happening:
**CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
VulnerabilityAbout this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity
Malware Activity
H score16
First: 05.06.2026 21:09
Last: 05.06.2026 21:09
Sources 1
About this happening:
The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...
UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity
Malware ActivityAbout this happening: The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...
Timeline
-
17.03.2026 17:36 2 articles · 3mo ago
Warlock expands SharePoint post-exploitation tooling
Technical Analysis UpdateWarlock, also tracked as Water Manaul, continued exploiting unpatched Microsoft SharePoint servers and expanded its post-compromise toolkit with BYOVD abuse of the NSecKrnl.sys driver, TightVNC, Yuze, Velociraptor, a Cloudflare tunnel, and Rclone disguised as TrendSecurity.exe. An early January intrusion began at the SharePoint worker process (w3wp.exe) on a compromised server, and the operators remained inside the victim network for 15 days before executing ransomware.
Show sources
- Warlock Ransomware Group Augments Post-Exploitation Activities — www.darkreading.com — 17.03.2026 17:36
- Warlock Ransomware Group Augments Post-Exploitation Activities — www.darkreading.com — 17.03.2026 17:36