Warlock

Warlock is a ransomware family and associated extortion operation active since at least March 2025, first publicly advertised in June 2025 and tracked by Sophos CTU as GOLD SALEM and by Microsoft as Storm-2603. It has compromised networks across North America, Europe, South America, Latin America/Caribbean, and Asia-Pacific, with victims including small businesses, large multinationals, government entities, telecommunications, agriculture, energy and natural resources, and other sectors. Multiple sources describe the actor as financially motivated; Microsoft assessed Storm-2603 with moderate confidence as China-based, while Sophos stated it lacked sufficient evidence to confirm that attribution.

Observed initial access includes exploitation of internet-facing Microsoft SharePoint Server via the ToolShell exploit chain and related vulnerabilities CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771, as well as exploitation of SmarterMail vulnerabilities including CVE-2026-23760 and CVE-2026-24423. Warlock-linked intrusions have also been associated with exploitation of SolarWinds Web Help Desk (CVE-2025-40551) and Gladinet CentreStack (CVE-2025-14611), and some reporting notes deployment via exposed RDP services. In SharePoint cases, attackers uploaded ASPX web shells such as spinstall0.aspx and variants spinstall.aspx, spinstall1.aspx, and spinstall2.aspx, executed commands via w3wp.exe/cmd.exe, stole SharePoint ASP.NET MachineKey material, and established persistence through web shells, scheduled tasks, and IIS component manipulation.

Post-compromise tradecraft includes credential theft with Mimikatz against LSASS, lateral movement with PsExec, Impacket, WMI, PowerShell Remoting, OpenSSH, Radmin, TightVNC, and Cobalt Strike, and ransomware distribution via modified Group Policy Objects. Warlock operators have repeatedly abused legitimate tools for persistence and access, notably Velociraptor, including installation of older vulnerable versions and use of Velociraptor to establish a Visual Studio Code tunnel. Additional observed tooling across Warlock-linked intrusions includes Everything.exe, SecurityCheck, Veeam-Get-Creds, Cloudflared, RClone, MinIO, Azure Blob Storage, Supabase, Catbox[.]moe, msiexec, and RDP Patcher.

Defense evasion is a prominent feature of Warlock activity. Observed intrusions used Bring Your Own Vulnerable Driver techniques to disable endpoint protections, including a vulnerable Baidu Antivirus driver renamed googleApiUtil64.sys exploiting CVE-2024-51324 to terminate EDR processes. Reporting also links Warlock affiliates to an msimg32.dll sideloading chain that loads signed vulnerable drivers rwdrv.sys and hlpdrv.sys to kill endpoint agents. Other BYOVD-related components observed in Warlock-linked intrusions include Antiy System In-Depth Analysis Toolkit driver, NsecSoft driver, Rising Antivirus driver, and VMTools AV Killer.

Warlock operates a Tor-based leak site and uses data theft and extortion in addition to encryption. Victim postings began in June 2025; one report states the group reached 43 total listings in Q3 2025, while Sophos reported 60 victims listed through mid-September 2025 and publication of stolen data from a subset of those victims. Some incidents and reporting emphasize data exfiltration and leak-site publication as part of the operation. Known indicators and artifacts directly mentioned in reporting include the web shell filenames above; files such as IIS_Server_dll.dll, SharpHostInfo.x64.exe, xd.exe, and debug_dev.js; the path \1[5-6]\TEMPLATE\LAYOUTS\debug_dev.js; IPs 65.38.121[.]198, 131.226.2.6, 134.199.202.205, 104.238.159.149, and 188.130.206.168; the host c34718cbb4c6.ngrok-free.app; and in SmarterMail-related activity, download of a malicious MSI named v4.msi from Supabase and a Golang-based WebSockets backdoor downloaded as c:\users\public\Sophos\Sophos-UI.exe from filebin.net.