The Warlock ransomware, first appearing in June 2025, is linked to a China-based actor with a history dating back to 2019. It gained prominence by exploiting the ToolShell vulnerability in Microsoft SharePoint. The group, known as Storm-2603, uses multiple ransomware payloads and a custom C&C framework called ak47c2. Warlock is likely a rebrand of the older Anylock ransomware and may have connections to the retired Black Basta operation. The actors behind Warlock have been involved in diverse activities, including espionage and cybercrime, suggesting they may be contractors. Their toolset includes defense evasion tools and the use of stolen digital certificates, linking them to earlier attacks by groups like CamoFei and ChamelGang.