Warlock

Warlock is a ransomware group first observed posting victims in June 2025. Reporting in the provided content describes it as a likely China-based operator and links it to exploitation of internet-facing software, including the ToolShell SharePoint zero-day campaign, as well as exploitation involving SmarterMail, SolarWinds Web Help Desk, and Gladinet CentreStack. Sophos reported that Warlock compromised more than 60 organizations in six months and targeted high-value sectors including nuclear energy, aerospace, and government. The group has also been described as remaining operational after its leak site went silent in November 2025. Warlock is associated with aggressive defense evasion, especially repeated use of multiple EDR killers and BYOVD techniques. ESET reported that Warlock routinely deployed multiple EDR killers per intrusion and abused at least nine different vulnerable drivers. Drivers and BYOVD components directly mentioned in the content include Antiy, NSecSoft/NSecKrnl.sys, Rising Antivirus, VMTools, the Baidu Antivirus BdApi driver googleApiUtil64.sys used by HexKiller, and signed Chinese drivers used to disable antivirus protections. Trend Micro reported that newer Warlock campaigns replaced googleApiUtil64.sys with NSecKrnl.sys. The content also states that affiliates of Qilin and Warlock used an msimg32.dll side-loading chain in April 2026 to load rwdrv.sys and hlpdrv.sys and terminate more than 300 endpoint agent drivers. HexKiller is repeatedly described as an EDR killer previously associated exclusively with the Warlock ransomware gang. ESET also assessed that some Warlock EDR-killer tooling showed signs suggestive of AI-assisted development. The content further states that Warlock adapted the VS Code abuse technique previously used by Mustang Panda and pioneered malicious use of Velociraptor. Tools observed across intrusions leading to Warlock ransomware deployment include Everything.exe, Radmin, Mimikatz, Cobalt Strike, SecurityCheck, TightVNC, Veeam-Get-Creds, Velociraptor, Impacket, Cloudflared, PsExec, OpenSSH, PowerShell Remoting, RDP Patcher, VS Code Tunnel, RClone, MinIO, Azure Blob Storage, Supabase, Catbox[.]moe, and msiexec. Trend Micro additionally reported use of TightVNC for persistence, PsExec for lateral movement, RDP Patcher for concurrent RDP sessions, Velociraptor for command-and-control, Visual Studio Code with Cloudflare Tunnel for tunneling C2, Yuze for intranet penetration and reverse proxy connectivity, and Rclone for exfiltration. The content also notes that Storm-2603 deployed a ransomware variant linked to the Warlock group, and that the Sophos article URL associates the operation with the name Gold Salem. No higher-confidence alias relationship beyond those mentions is established in the provided material.