The Warlock ransomware, first appearing in June 2025, is linked to a China-based actor with a history dating back to 2019. It gained prominence by exploiting the ToolShell vulnerability in Microsoft SharePoint. The group, known as Storm-2603, uses multiple ransomware payloads and a custom C&C framework called ak47c2. Warlock is likely a rebrand of the older Anylock ransomware and may have connections to the retired Black Basta operation. The actors behind Warlock have been involved in diverse activities, including espionage and cybercrime, suggesting they may be contractors. Their toolset includes defense evasion tools and the use of stolen digital certificates, linking them to earlier attacks by groups like CamoFei and ChamelGang. Author: AlienVault
Related Tags:
Engineering
Warlock
CatB
British Indian Ocean Territory
LockBit
Japan
Russian Federation
T1133
Taiwan
Associated Indicators:
24480DBE306597DA1BA393B6E30D542673066F98826CC07AC4B9033137F37DBF
6FEB5361FD3ABD3A7A733C30BFCC2B58FC774AC6AA91A468CE2E31DCFFC9D4DE
9F2434D5F8D042323CC7964520D99BDA661BB23CE505CB03C8A07758BC9397A6
E23D5CB32A2D62314A8B26A205B634EE968F5A0500C190BC6EDB55EC70285EB5
CA2C02F592D72CAFC218F4EDD1EA771F8D1458CB95C2C76C3E384E63CEFD1FB6
BBA75DC056EF7F9C4ADE39B32174C5980233FC1551C41ACA9487019191764BAC
9D52AF33C05EA80F9BC47404B02ACE4E16203DD81AEF9021924885A6BFF1D3C1
8CA7304846C69300237A8577FBEEC2720EA9A4BD09CB7FE484A8D5EFC79AD073
2C9F0F324E9CCA0481162CDC21EE9B60A7541941A33AF99113D08BBD859D7473