Skip to main content
Mallory
Back to threat actors
6 malware familiesExploits CVEs in the wild

warlock_group

Also known aswarlock_group

Warlock Group, also tracked by Microsoft as Storm-2603, is a Chinese-attributed ransomware operation. The group has used leaked LockBit Windows and Babuk VMware ESXi encryptors in attacks. According to the provided reporting, it launched in March 2025 using LockBit ransomware notes customized with a Tox ID for ransom negotiations, and in June 2025 rebranded itself as Warlock Group, after which it used customized ransom notes and operated dark web negotiation and data leak sites. Microsoft reported that the actors exploited a SharePoint vulnerability to breach corporate networks and deploy ransomware. Observed ransom demands ranged from $450,000 to several million dollars. The group was linked to the sale of allegedly stolen Colt Technology Services data on the Ramp cybercrime forum, where it claimed to have stolen 1 million documents and offered them for $200,000; the forum post was reportedly tied to Warlock through a matching Tox ID previously used in the group’s ransom notes. Known aliases directly mentioned in the content: Storm-2603.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

19 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics30 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190×2
Exploit Public-Facing Application
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.003
Windows Command Shell
T1203
Exploitation for Client Execution
TA0003
Persistence
2 techniques
T1136
Create Account
T1136.002
Domain Account
T1505
Server Software Component
T1505.003
Web Shell
TA0004
Privilege Escalation
2 techniques
T1068×2
Exploitation for Privilege Escalation
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
TA0005
Stealth
1 technique
T1497
Virtualization/Sandbox Evasion
T1497.003
Time Based Checks
TA0112
Defense Impairment
1 technique
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
TA0006
Credential Access
1 technique
T1003
OS Credential Dumping
T1003.001
LSASS Memory
TA0007
Discovery
1 technique
T1497
Virtualization/Sandbox Evasion
T1497.003
Time Based Checks
TA0008
Lateral Movement
1 technique
T1021
Remote Services
TA0009
Collection
1 technique
T1074
Data Staged
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1090
Proxy
T1090.002
External Proxy
T1105×2
Ingress Tool Transfer
T1219
Remote Access Tools
TA0010
Exfiltration
1 technique
T1567×2
Exfiltration Over Web Service
TA0040
Impact
2 techniques
T1486×3
Data Encrypted for Impact
T1657
Financial Theft
ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
WarlockGOLD SALEM (also known as Storm-2603) is a financially motivated cybercriminal threat group calling itself Warlock Group responsible for the distribution of the Warlock ransomware.2Mar 18, 2026
BabukThe Warlock Group (aka Storm-2603) is a ransomware gang attributed to Chinese threat actors who utilize the leaked LockBit Windows and Babuk VMware ESXi encryptors in attacks.1Mar 19, 2026
ImpacketGOLD SALEM has been observed using PsExec and Impacket (WMI) for lateral movement within compromised environments.1Mar 18, 2026
LockBitThe Warlock Group (aka Storm-2603) is a ransomware gang attributed to Chinese threat actors who utilize the leaked LockBit Windows and Babuk VMware ESXi encryptors in attacks.1Mar 19, 2026
MimikatzPersistence is achieved by emplacement of ASPX webshells that allow execution of Mimikatz for credential recovery.1Mar 18, 2026

1 additional family tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2026-24423Unauthenticated RCE in SmarterTools SmarterMail ConnectToHub APIIn the wildEvidence2

Curtis did not share which vulnerability was exploited by the attackers, but CVE-2026-24423 seems like a likely candidate: the flaw was added to CISA’s Known Exploited Vulnerabilities catalog on February 5, 2026, and marked as “Exploited in ransomware attacks“.

CVE-2026-23760Authentication Bypass in SmarterTools SmarterMail Password Reset APIIn the wildEvidence1

It was disclosed alongside CVE-2026-23760, which is an authentication bypass vulnerability that can enable an unauthenticated attacker to force a password reset on a system administrator account. This enables full compromise of the SmarterMail instance.

IOCS

Observables

8 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

8 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping19

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables8

Domains, IPs, and hashes tied to this actor, refreshed continuously.