Warlock Ransomware Actors Target SharePoint ToolShell Zero-Day in Latest Attack Campaign

Published 2025-10-23 12:00:39 | cyberpress.org
Ransomware Sharepoint Cybersecurity Apt Actor: Storm-2603 Sector: Technology Region: Global

🎙️ Paranoid Newscast

🎭
Credibility
75%
📊
Risk Score
72%
🎲
Likelihood
8/10
💥
Impact
9/10
🛡️
Priority
4/5
The Warlock ransomware campaign, linked to Chinese threat actors, exploits the ToolShell zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770). This shift towards direct financial cybercrime marks a significant change in tactics among these groups.

The recently uncovered Warlock ransomware campaign showcases a troubling shift among Chinese threat actors toward direct financial and disruptive cybercrime operations. Emerging in June 2025, Warlock gained attention after being used to exploit the ToolShell zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770). Security vendors now believe that the group behind Warlock has deep roots in earlier espionage-linked activity dating as far back as 2019.

Researchers first detected Warlock after Microsoft confirmed that three China-linked groups, Budworm (APT27), Sheathminer (APT31), and Storm-2603, were exploiting the SharePoint vulnerability to deploy payloads. Storm-2603 stood out by using the exploit to install both Warlock and LockBit ransomware variants. Analysts concluded that Warlock was developed or repurposed by Storm-2603, an actor with a history of combining cyberespionage and financially driven campaigns.

Check Point’s July research indicated the attackers used a custom command-and-control framework called ak47c2, along with advanced DLL sideloading techniques. The loaders were embedded within legitimate binaries such as 7z.exe, which dynamically loaded a malicious 7z.dll module a common tactic among Chinese APTs to evade detection. Further analysis from Palo Alto’s Unit 42 revealed the use of a ransomware toolkit dubbed Project AK47, which included loaders, backdoors, and an encryptor previously identified as AK47/Anylock.

Trend Micro’s investigation in August 2025 found encrypted files appended with the “.x2anylock” extension, reinforcing the theory that Warlock is a rebranded version of Anylock, itself derived from LockBit 3.0 code. Forensic examination showed structural similarities between Warlock and older ransomware families like Black Basta, suggesting code repurposing or underground affiliate collaboration.

Additional findings link Warlock to historical espionage campaigns. Symantec and Carbon Black tracked the use of a BYOVD (Bring Your Own Vulnerable Driver) technique, which leveraged a compromised Baidu antivirus driver signed with a stolen “coolschool” certificate (Serial: 4deb2644a5ad1488f98f6a8d6bca1fab). This same certificate appeared in malware samples as early as 2022, connected to a Chinese APT group known as CamoFei (or ChamelGang), which previously targeted governments and healthcare sectors in Asia and South America.

These overlaps suggest that Warlock’s operators may be long-standing contractors within the Chinese cyber ecosystem, now shifting to ransomware deployment as their primary profit model. Organizations running on-premises SharePoint servers are strongly urged to patch CVE-2025-53770 immediately and monitor for DLL sideloading activity involving legitimate executables like 7zip or MSI-based installers. The group’s hybrid approach, merging espionage-grade stealth with organized ransomware operations, highlights the growing convergence between state- and financially motivated threat actors. Additional detection signatures and mitigations are available via the latest Symantec Protection Bulletin.