Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack
Essential information
- Published
- 16/03/2026 11:01
- Modified
- 16/03/2026 18:54
- Tags
- 2026-03-16 byovd cloudflare lateral movement lockbit ransomware sharepoint tightvnc tunneling velociraptor yuze
- Related entities
- 10 observables, 1 intrusion sets (apt), 14 techniques (mitre), 1 malware, 9 others
Description
The Warlock ransomware group has enhanced its attack chain with improved methods for persistence, lateral movement, and evasion. Their updated toolset includes TightVNC, Yuze, and a persistent BYOVD technique exploiting the NSec driver. The group's primary targets were technology, manufacturing, and government sectors, with the US, Germany, and Russia being the most affected countries. Warlock continues to exploit unpatched Microsoft SharePoint servers for initial access, and has expanded its post-exploitation toolkit. New additions include TightVNC for persistent remote access, Yuze for establishing SOCKS5 connections, and a BYOVD technique using the NSecKrnl.sys driver to terminate security products. The group also leverages Velociraptor, VS Code tunnels, and Cloudflare Tunnel for C&C communications.