Warlock ransomware operators have extensively targeted the Microsoft SharePoint ToolShell vulnerability to hit victims globally, according to Trend Micro researchers.
Warlock affiliates have used the widely reported flaw to compromise unpatched organizations at speed and depth via a sequence of sophisticated post-exploitation techniques.
“By exploiting SharePoint’s authentication and deserialization flaws, attackers were able to rapidly gain code execution capabilities and escalated privileges, move laterally within the system, and deliver disruptive ransomware at scale,” the researchers noted.
On July 23, Microsoft reported that a Chinese-based actor tracked as Storm-2603 was distributing Warlock ransomware on exploited SharePoint on-prem servers. This came just a few days after the tech giant warned SharePoint customers that attackers were actively targeting the exploit chain, dubbed ToolShell.
The Trend Micro report, dated August 20, noted that Warlock had quickly established itself in the cybercriminal landscape in the weeks leading up to the ToolShell exploits.
The group made its public debut on the Russian-language RAMP forum in early June 2025, advertising itself to potential affiliates with the tagline: “If you want a Lamborghini, please contact me.”
By mid-2025, the group’s victim list had grown rapidly to include organizations in North America, Europe, Asia and Africa, impacting industries ranging from technology to critical infrastructure, based on its leak site data.
“In a short period of time, the threat actor behind Warlock evolved from a bold forum announcement into a rapidly growing global ransomware threat, setting the stage for even more sophisticated campaigns – including those leveraging the SharePoint ToolShell vulnerability that would bring the group into the spotlight,” the researchers added.
Warlock claimed credit for an August 2025 attack on UK telecoms firm Colt Technology Services.
Read now: US Tops Hit List as 396 SharePoint Systems Compromised Globally
Sophisticated Post-Exploitation Attack Chain
Warlock affiliates use a sequence of sophisticated post-exploitation techniques resulting in ransomware deployment and data exfiltration.
Once in a network, the attackers first establish higher privileges by creating a new Group Policy Object (GPO) within the domain.
The attacker activates the built-in "guest" account on a Windows machine and modifies its password, enabling it to be used for access. It then adds the "guest" account to the local “administrators” group, granting it administrative privileges.
A stealthy command and control (C2) channel is set up inside the compromised environment, in one case using a Cloudflare binary that has been renamed to evade detection.
Windows Command Shell is used to execute script files and batch jobs.
Trend Micro highlighted a series of defense evasion techniques, including attempts to terminate the vendor’s processes and services.
The threat actor also conducts extensive reconnaissance within the victim environment to plan lateral movement. This includes gathering comprehensive information on the compromised system, including network configurations and determining current user and privilege context.
To achieve lateral movement, remote services such as Server Message Block (SMB) are used to copy payloads and tools across machines. This involves using a command to transfer a malicious executable to the public folder of a remote system via administrative shares.
The attacker also enables remote desktop protocol (RDP) access by setting the fdenytsconnections value at HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server to 0.
Warlock ransomware deployment is enabled by copying the ransomware binary into public folders on multiple endpoints via the Ingress transfer tool.
The ransomware then encrypts files, before placing a ransom note titled “How to decrypt my data.txt” within affected directories.
The ransomware also forcibly terminates several legitimate processes and services to maximize system disruption and eliminate potential recovery mechanisms.
The researchers observed that Warlock appears to be a customized derivative of the leaked LockBit 3.0 builder.
The data exfiltration process is conducted using RClone, a legitimate open-source file synchronization tool. In one case observed by Trend Micro, the file was disguised as TrendSecurity.exe and placed in an inconspicuous directory to evade detection.
The researchers urged organizations to promptly patch their on-premises SharePoint servers, as well as deploy layered detection capabilities to defend against the Warlock ransomware threat.
No tags.
