Discovered in June 2025, Warlock is a particularly aggressive ransomware operation based on double extortion: victims’ data is first exfiltrated and then encrypted, with the threat of publication on the Dark Web.
The group operates its own leak site, known as a Leaked Data Show (DLS), where data from organizations that refuse to pay is publicly exposed.
An entry point: sharePoint vulnerabilities
Initial access relies on the ToolShell vulnerability chain affecting Microsoft SharePoint on-premise.
Attackers deploy a webshell, most commonly spinstall0.asp, via targeted HTTP POST requests.
Once the infrastructure is compromised, they copy their tools into and create a Group Policy Object (GPO) to ensure persistence.
Microsoft has linked these operations to several China-based threat groups, notably Storm-2603, previously observed using LockBit, as well as Linen Typhoon (APT27) and Violet Typhoon (APT31).
The warlock attack chain
After intrusion, the malicious script enables the Windows Guest account, changes its password, and grants it administrator privileges.
The attackers then conduct a reconnaissance phase, inventorying the network, domain controllers, installed applications, and available file shares.
Next comes defense neutralization: tools such as vmtools.exe (Trojan.Win64.KILLLAV.I) are downloaded, the googleApiUtil64.sys driver is installed to remove security solutions, and firewall rules are modified.
For data exfiltration, Warlock uses RClone, often renamed (e.g., TrendSecurity.exe), to transfer data to anonymous storage services such as Proton Drive.
Persistence is reinforced through GPOs, scheduled tasks, and the installation of Cloudflare.exe, which establishes an encrypted tunnel to command-and-control servers.
Credentials are stolen using Mimikatz, followed by lateral movement with PsExec or Impacket. Registry keys are also modified to disable Network Level Authentication (NLA), further weakening security.
Encryption and extortion
The ransomware payload, derived from the LockBit 3.0 builder, is then deployed across the entire network. Files are encrypted and given the extensions .x2anylock or .xlockxlock, along with a ransom note titled How to decrypt my data.txt.
The note contains a .onion link and a Tox ID to initiate ransom negotiations.
Even fully patched SharePoint environments have been compromised via a Veeam Backup vulnerability (CVE-2023-27532), demonstrating the group’s adaptability.
High-profile victims
Warlock already claims dozens of victim organizations across the telecommunications, finance, industrial, and public sectors.
Attacks against Colt Technology Services and especially Orange received widespread media coverage, with sample datasets publicly advertised for sale. This marks the fourth cyberattack suffered by Orange in 2025.
Overall, more than 400 organizations are believed to have been compromised via ToolShell, and the list of victims continues to grow.
Cybersecurity recommendations
- Experts recommend the following measures:
- Immediate and prioritized patching of SharePoint
- PowerShell hardening and close monitoring of GPO changes
- Blocking Cloudflared and RClone
- Filtering outbound traffic and deploying Data Loss Prevention (DLP)
- Integrating IOCs (IPs, domains, hashes) into SIEM and EDR solutions
In case of suspected compromise: immediately isolate affected systems, collect logs, reset Active directory passwords, and revoke exposed authentication tokens.
