Trend Micro researchers dissect an updated Warlock ransomware attack chain observed in early 2026, where operators spent 15 days inside a victim network before deploying ransomware. The group exploited unpatched Microsoft SharePoint servers for initial access, then expanded its post-exploitation toolkit with TightVNC for persistent remote access, Yuze (a C-based SOCKS5 reverse proxy) for covert C&C tunneling across ports 80/443/53, and a new BYOVD technique exploiting the NSecKrnl.sys driver to terminate over 30 security product processes at the kernel level via GPO deployment. The group also continued abusing Velociraptor, VS Code tunnels, and Cloudflare Tunnel for redundant C&C channels. Data exfiltration used a renamed Rclone binary to an attacker-controlled S3 bucket, followed by ransomware deployment via Active Directory Group Policy. Targeted industries include technology, manufacturing, and government, primarily in the US, Germany, and Russia.
Sort: