Warlock Ransomware Actors Exploiting Sharepoint ToolShell Zero-Day Vulnerability in New Attack Wave

The cybersecurity landscape experienced a significant shift in July 2025 when threat actors associated with Warlock ransomware began exploiting a critical zero-day vulnerability in Microsoft SharePoint.

Discovered on July 19, 2025, the ToolShell vulnerability, tracked as CVE-2025-53770, became a primary vector for deploying the notorious Warlock ransomware across multiple organizations globally.

This exploitation marked a notable escalation in the threat landscape, introducing a sophisticated attack methodology that combines known exploitation techniques with emerging malware tactics.

Warlock’s emergence traces back to June 2025, though its initial prominence remained limited until the ToolShell zero-day attacks commenced.

The ransomware distinguishes itself through its China-based operational framework, a departure from the traditional Russian-centric ransomware ecosystem.

What began as a localized threat rapidly evolved into a coordinated attack campaign targeting organizations across diverse sectors, from engineering firms in the Middle East to financial institutions in the United States.

Symantec analysts and Carbon Black researchers identified a sophisticated operational structure behind Warlock’s deployment.

The investigation revealed that the threat group, known as Storm-2603 to Microsoft threat intelligence teams, deployed Warlock alongside multiple ransomware payloads including LockBit 3.0.

This polyglot approach demonstrated operational flexibility and suggested a broader arsenal of cyber-attack capabilities.

Understanding the Infection Mechanism and Persistence Tactics

The infection mechanism employed by Warlock actors showcases considerable technical sophistication.

The attackers utilized DLL sideloading as their primary execution method, leveraging the legitimate 7-Zip application (7z.exe) to load a malicious payload named 7z.dll.

This technique, widely adopted by Chinese threat actors, bypassed conventional security detections by disguising malicious code within legitimate application processes.

Once executed, Warlock implemented aggressive file encryption using the .x2anylock extension for encrypted files.

Security researchers observed that Warlock appeared to be a rebrand of the older Anylock payload, though it incorporated modifications derived from LockBit 3.0 source code.

The ransomware deployed a custom command and control framework designated ak47c2, enabling the attackers to maintain persistent communication channels with infected systems.

Additionally, the threat actors deployed custom defense evasion tools signed with a stolen certificate from coolschool, utilizing Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security software and establish system dominance.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.