Warlock continues to enhance its attack chain with new tactics to improve persistence, lateral movement, and defense evasion using an expanded toolset: TightVNC Yuze, and a persistent BYOVD technique leveraging the NSec driver.

Trend Micro Blog offers insights, analysis, and updates on cybersecurity threats, trends, and best practices. Covering topics such as malware analysis, threat intelligence, and cybersecurity risk management, Trend Micro Blog provides resources for IT security professionals, helping them stay ahead of emerging threats and protect their organizations from cyber attacks.

Trend Micro

Trend Micro researchers dissect an updated Warlock ransomware attack chain observed in early 2026, where operators spent 15 days inside a victim network before deploying ransomware. The group exploited unpatched Microsoft SharePoint servers for initial access, then expanded its post-exploitation toolkit with TightVNC for persistent remote access, Yuze (a C-based SOCKS5 reverse proxy) for covert C&C tunneling across ports 80/443/53, and a new BYOVD technique exploiting the NSecKrnl.sys driver to terminate over 30 security product processes at the kernel level via GPO deployment. The group also continued abusing Velociraptor, VS Code tunnels, and Cloudflare Tunnel for redundant C&C channels. Data exfiltration used a renamed Rclone binary to an attacker-controlled S3 bucket, followed by ransomware deployment via Active Directory Group Policy. Targeted industries include technology, manufacturing, and government, primarily in the US, Germany, and Russia.

Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack