Warlock Ransomware Group Augments Post-Exploitation Activities
Summary
The Warlock (aka Water Manaul) ransomware group has upgraded its post-exploitation tradecraft to be stealthier and more resilient. Researchers at Trend Micro observed recent activity where Warlock continued to gain initial access via unpatched, Internet-facing Microsoft SharePoint servers but then deployed a broader and more redundant toolkit to persist, move laterally and evade detection.
Key Points
- Initial access remains focused on exploiting unpatched SharePoint servers (several CVEs referenced).
- Warlock now abuses a BYOVD (bring your own vulnerable driver) technique, exploiting an NSecKrnl.sys vulnerability to tamper with kernel-level security.
- Persistent remote GUI access achieved by deploying TightVNC as a Windows service via PsExec.
- Use of Yuze, a lightweight reverse-proxy, enables SOCKS5 tunnels over common ports (80/443/53) to blend with benign traffic.
- The group retains earlier tools—Velociraptor for C2, Cloudflare tunnels and Rclone (disguised) for exfiltration—creating multiple redundant channels.
- Observed targeting spans technology, manufacturing and government sectors across the US, Germany and Russia.
- Defensive recommendations: immediate patching, removing public admin/RDP exposure, enforce MFA, monitor for anomalous driver/kernel activity and proxy-based C2.
Content summary
Trend Micro analysed a Warlock engagement where attackers stayed in a victim network for about 15 days before detonating ransomware. The intrusion chain starts with SharePoint worker process compromise on exposed servers. Post-compromise, Warlock expanded its toolkit: replacing previously abused drivers with an NSec driver exploit (BYOVD) to disable security at kernel level, installing TightVNC for persistent GUI access, and deploying Yuze to mask lateral movement and C2 traffic. These additions sit alongside Velociraptor C2 frameworks, Cloudflare tunnels and Rclone-based exfiltration, forming a layered attack designed to survive disruption and evade detection.
The group debuted publicly in mid-2025 and has rapidly evolved its operational resilience. While its initial access vector has been consistent, the sophistication of post-exploitation activities has increased, indicating deliberate investment in evasion and redundancy.
Context and Relevance
This is important because it highlights two persistent problems: organisations delaying critical patches on Internet-facing services (SharePoint in this case), and the increasing use of driver-level and proxy techniques that can bypass conventional detection. For defenders, the piece sheds light on specific TTPs (BYOVD, TightVNC service deployment, Yuze proxy use, Velociraptor C2 and disguised exfiltration) that should be prioritised in hunt and detection efforts.
It also underlines a broader trend: even nascent ransomware groups can quickly assemble resilient, multi-channel attack stacks that blend with legitimate traffic, making detection and disruption harder without proactive patching, stronger access controls and kernel-level monitoring.
Why should I read this?
Quick take: attackers aren’t just breaking in — they’re getting slicker at hiding out and keeping their backdoors alive. If you look after servers, identity or incident response, this one gives you exact behaviours to hunt for and fixes you can apply straight away. Short, sharp and useful.