The Warlock ransomware group continues to exploit unpatched Microsoft SharePoint servers with a new focus on stealthier, more resilient post-exploitation activity, thanks to its use of a new bring your own vulnerable driver (BYOVD) technique and other strategic tools.
Warlock, also tracked as Water Manaul, has maintained a consistency in its initial access method in attacks during the second half of last year, during which it primarily targeted the technology, manufacturing, and government sectors in the US, Germany, and Russia, according to researchers at Trend Micro. In activity observed earlier this year, the group pivoted to expanding its malicious activities once inside a targeted environment, according to a report published this week.
“Our recent monitoring revealed that the Warlock ransomware group has enhanced its attack chain, including improved methods for persistence, lateral movement, and evasion,” Trend Micro threat analysts wrote in the report.
These methods include exploiting the Nsec driver with a new BYOVD technique as well as using the remote-access tool TightVNC and the reverse-proxy tool Yuze to conceal its malicious activity as it spreads across networks, the researchers said.
These tactics are in addition to previous post-exploit tools and techniques used by the group, which included the Velociraptor digital forensics and incident response (DFIR) tool as its primary command-and-control (C2) framework, a single Cloudflare tunnel for remote access, and Rclone disguised as TrendSecurity.exe for exfiltration.
The researchers noted that the expanded toolset “gives Warlock multiple redundant [C2] channels that blend with legitimate network traffic, demonstrating deliberate investment in operational resilience and detection evasion.”
Rapid Evolution of a Nascent Group
Warlock hasn’t been around very long on the ransomware scene but seems to be evolving rapidly in a short time frame, according to Trend Micro. The group made its public debut last June on the Russian cybercrime forum RAMP. It quickly took credit for more than a dozen attacks, snagging victims such as government agencies across multiple countries, as well as private sector organizations.
Trend Micro researchers observed a Warlock attack in early January during which the threat actors spent 15 days inside a victim’s network before executing the ransomware. The investigation tracked the earliest observed malicious activity of Warlock on the network to the SharePoint worker process (w3wp.exe) on the compromised server, suggesting that the group is continuing to exploit unpatched Microsoft SharePoint vulnerabilities on Internet-facing servers as its primary access point.
Indeed, last year Trend Micro observed Warlock exploiting SharePoint vulnerabilities, including a set of flaws affecting on-premises servers — spoofing flaw CVE-2025-49706, remote code execution bug CVE-2025-49704, and related vulnerabilities CVE-2025-53770 and CVE-2025-53771. While Warlock’s post-compromise tradecraft is evolving, its initial access approach remains unchanged, which reinforces the ongoing risk posed when organizations delay patching of public-facing enterprise applications.
Warlock’s Post-Exploitation Activity Enhancements
In the Warlock attack Trend Micro detected in January, the threat actors began to deviate from techniques seen in previous attacks to improve persistence, lateral movement, and defense evasion, according to Trend Micro. Key changes observed include silently deploying TightVNC as a Windows service via PsExec for persistent GUI-based remote access.
Later in the attack, Warlock also deployed Yuze, a lightweight C-based open source reverse proxy tool used to establish SOCKS5 connections over ports 80, 443, and 53. This helps blend malicious traffic with normal network activity to help attackers evade detection.
The group also leveraged the BYOVD technique by exploiting a vulnerability in the NSecKrnl.sys driver to terminate security products at the kernel level, replacing the googleApiUtil64.sys driver used in earlier campaigns. This represents “a more advanced evolution of earlier driver abuse,” the researchers noted.
These additions complement existing tactics such as Cloudflare tunnels for C2 and Rclone for data exfiltration, forming a layered and redundant attack chain designed to survive disruption, according to Trend Micro.
Defending Against Warlock
Given the rapid progress of even fledgling groups such as Warlock, defenders should respond directly to their malicious activities, the researchers said. They emphasized once again the need to patch immediately any public vulnerabilities, particularly in widely used enterprise server technology such as SharePoint.
“Protecting these assets and the credentials they hold is critical to preventing initial access and in impeding post-exploitation activities, such as privilege escalation and domain dominance,” the researchers noted.
In addition to patching, defenders can protect SharePoint and other Internet-facing assets by removing direct RDP or administrative interface exposure to the Internet and enforcing multifactor authentication (MFA) on all external access points, especially VPNs and email systems, they added.
Trend Micro also advised organizations should actively monitor for abuse of legitimate administrative and remote access tools, set up detections for anomalous driver activity and kernel-level tampering, and practice consistent visibility into lateral movement and proxy-based C2 channels to defend specifically against the tactics observed in the recent Warlock attack.
