216.73.217.80

Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack

· Published 16/03/2026 11:01 · Modified 16/03/2026 18:54

Export JSON

Essential information

Published
16/03/2026 11:01
Modified
16/03/2026 18:54
Tags
2026-03-16 byovd cloudflare lateral movement lockbit ransomware sharepoint tightvnc tunneling velociraptor yuze
Related entities
10 observables, 1 intrusion sets (apt), 14 techniques (mitre), 1 malware, 9 others

Description

The Warlock group has enhanced its attack chain with improved methods for persistence, , and evasion. Their updated toolset includes , , and a persistent technique exploiting the NSec driver. The group's primary targets were technology, manufacturing, and government sectors, with the US, Germany, and Russia being the most affected countries. Warlock continues to exploit unpatched Microsoft servers for initial access, and has expanded its post-exploitation toolkit. New additions include for persistent remote access, for establishing SOCKS5 connections, and a technique using the NSecKrnl.sys driver to terminate security products. The group also leverages , VS Code tunnels, and Tunnel for C&C communications.

External references