Skip to content
Ransomware group Windows

Warlock

Warlock is a ransomware operation active since at least March 2025, with public victim postings beginning in June 2025.

Profile source: Mallory opens in a new tab

Warlock

Family profile

Warlock is a ransomware operation active since at least March 2025, with public victim postings beginning in June 2025. It has been tracked as GOLD SALEM by Sophos and is closely associated with the threat actor Storm-2603, which Microsoft has assessed with moderate confidence as China-based, although that geographic attribution is not universally corroborated. Warlock has targeted organizations across multiple regions including North America, Europe, South America, Latin America, and Asia-Pacific, with observed victims spanning government, telecommunications, agriculture, energy and natural resources, and commercial enterprises.

Warlock intrusions have repeatedly been linked to exploitation of internet-facing on-premises Microsoft SharePoint vulnerabilities, especially the ToolShell exploit chain, and later reporting also associates the operation with exploitation of other enterprise software vulnerabilities. In observed SharePoint compromises, attackers obtained code execution on vulnerable servers, deployed web shells for command execution, stole credentials from LSASS using Mimikatz, created local and domain administrative accounts, and moved laterally with tools such as PsExec, Impacket, WMI, and PowerShell remoting. Microsoft also observed modification of Group Policy Objects to distribute the ransomware payload across compromised environments.

The operation demonstrates mature post-compromise tradecraft beyond encryption. Reported activity includes persistence through web shells, scheduled tasks, IIS component manipulation, and secondary backdoors; use of remote access channels such as Cloudflare tunneling, Zoho Assist, OpenSSH, and Visual Studio Code tunnels; and data theft and leak-site extortion. Warlock maintains a Tor-based leak site and has published victim names and stolen data, indicating a double-extortion model in which exfiltration is an important component of operations.

Defense evasion is a notable feature of Warlock-linked intrusions. Researchers have observed Bring Your Own Vulnerable Driver techniques used to disable or tamper with endpoint security products, including vulnerable antivirus or utility drivers and, in later reporting, DLL sideloading chains used to load signed vulnerable drivers for mass termination of endpoint agents. Additional observed tooling across Warlock-related incidents includes Velociraptor, Cobalt Strike, Rclone, and other utilities associated with reconnaissance, credential access, remote administration, and exfiltration.

Warlock appears both as a distinct ransomware brand and as malware deployed by overlapping or multi-actor intrusion sets. Incident reporting has described environments where Storm-2603 activity overlapped with unrelated actors, complicating attribution. Even so, the strongest consistent pattern is exploitation of exposed enterprise services for initial access, rapid privilege escalation and lateral movement, suppression of defenses, theft of data, and enterprise-wide ransomware deployment.

Capabilities

  • Byovd
  • Credential Theft
  • Defense Evasion
  • Dll Sideloading
  • Exfiltration
  • Extortion
  • Initial Access
  • Lateral Movement
  • Persistence
  • Privilege Escalation
  • Reconnaissance

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz
  • Veeam-Get-Creds

Defense Evasion

  • Antiy System In-Depth Analysis Toolkit driver (BYOVD)
  • NsecSoft driver (BYOVD)
  • Rising Antivirus driver (BYOVD)
  • VMTools AV Killer (BYOVD)

Discovery Enum

  • Everything.exe
  • SecurityCheck

Exfiltration

  • RClone

LOLBAS

  • Minidump
  • Msiexec
  • PowerShell Remoting (PSRemoting)
  • PsExec
  • RDP Patcher

Networking

  • Azure Blog Storage
  • Catbox[.]moe
  • Cloudflared
  • MinIO
  • OpenSSH
  • Supabase
  • VS Code Tunnel
  • Yuze

Offsec

  • Cobalt Strike
  • Velociraptor

RMM Tools

  • Radmin
  • TightVNC

Ransomware.live

Published indicators

Full source record ↗

Sha256

1 total
  • da8de7257c6897d2220cdf9d4755b15aeb38715807e3665716d2ee761c266fdb

Tox

3 total
  • 3DCE1C43491FC92EA7010322040B254FDD2731001C2DDC2B9E819F0C946BDC3CD251FA3B694A
  • 84490152E99B9EC4BCFE16080AFCFD6FDCD87512027E85DB318F7B3440982637FC2847F71685
  • F79A71AD8BB2E3E7EDFC38970FDC05E922E429B5DFC325C7D0E91F216DE8F3537C1A1C97F197

Reported operators

Threat actors

10 named in public reporting
Storm-2603

Группировка Storm-2603, по данным Microsoft Incident Response (опубликовано The Hacker News), эксплуатирует уязвимости on-premises SharePoint для развёртывания ransomware Warlock с середины 2025 года.

UAC-0238

Groups including UAC-0238 exploited exposed RDP services to push ransomware variants such as X2anylock, Warlock, and LockBit 3.0 into compromised environments.

camofei

Warlock Ransomware Hits US Firms Exploiting SharePoint Zero-Day, Linked to China’s CamoFei APT

Warlock

GOLD SALEM (also known as Storm-2603) is a financially motivated cybercriminal threat group calling itself Warlock Group responsible for the distribution of the Warlock ransomware.

cnkjasdfgd

"WarLock ransomware hit Colt Telecom, causing outages in hosting, porting, Colt Online, and Voice API since August 12."

ZIRCONIUM

"Storm-2603 was using the exploit to deploy Warlock and another ransomware payload, LockBit."

Chamelgang

"Storm-2603 was using the exploit to deploy Warlock and another ransomware payload, LockBit."

Threat Group-3390

"Storm-2603 was using the exploit to deploy Warlock and another ransomware payload, LockBit."

Sheathminer

"Storm-2603 was using the exploit to deploy Warlock and another ransomware payload, LockBit."

Budworm

"Storm-2603 was using the exploit to deploy Warlock and another ransomware payload, LockBit."

Exploited software

Vulnerabilities linked to Warlock

13 CVEs

MITRE ATT&CK

Warlock in ATT&CK

5 distinct techniques

Reporting

Research mentioning Warlock

Jul 15
Register Security

CISA sounds alarm over trio of exploited SharePoint flaws

CISA said attackers were chaining together CVE-2025-49706 (6.5) and CVE-2025-49704 (8.8) to break into SharePoint Servers and, in some cases, deploy Warlock ransomware.

Jul 9
Codeby

CVE-2026-45659: SharePoint RCE через десериализацию

Группировка Storm-2603, по данным Microsoft Incident Response (опубликовано The Hacker News), эксплуатирует уязвимости on-premises SharePoint для развёртывания ransomware Warlock с середины 2025 года.

Jul 3
Thecybersecguru

HSIN Breach: DHS SharePoint Hack Exposes World Cup Security | The CyberSec Guru

Microsoft later confirmed that Storm-2603, a threat actor known for deploying Warlock ransomware specifically through on-premises SharePoint bugs, was among the groups that piled on.

Jul 2
The Hacker News

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation

One set of attacks has been attributed to Storm-2603, a threat actor known for deploying Warlock ransomware often by exploiting known vulnerabilities in on-premises SharePoint servers since mid-2025.

Jun 6
Codeby

Ransomware тренды 2026: EDR killers и detection для SOC

По данным Vectra AI, в апреле 2026 года аффилиаты группировок Qilin и Warlock использовали вредоносную цепочку загрузки msimg32.dll, которая side-load'ит подписанные уязвимые драйверы - rwdrv.sys (ThrottleStop) и hlpdrv.sys - для завершения более 300 драйверов endpoint-агентов практически всех основных вендоров.

May 22
Cyber Security News

Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Groups including UAC-0238 exploited exposed RDP services to push ransomware variants such as X2anylock, Warlock, and LockBit 3.0 into compromised environments.

Apr 2
Recorded Future

Latin America and the Caribbean Cybercrime Landscape

Storm-2603 (Gold Salem) deployed ransomware, including Warlock, LockBit, and Babuk, targeting multiple sectors across agriculture, government, energy and natural resources, and telecommunications in the LAC and Asia-Pacific (APAC) regions.

Feb 13
Security Online Info

Email Under Siege: Storm-2603 Exploits SmarterMail to Deploy Warlock Ransomware

Storm-2603 ... exploiting ... SmarterMail servers to deploy “Warlock” ransomware ... The campaign centers on CVE-2026-23760 ...

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.