Key Takeaways

• A newly surfaced ransomware strain named Warlock exploits critical vulnerabilities in Microsoft SharePoint (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771), targeting unpatched on-premises installations to gain initial access.

• The attack chain leverages HTTP POST requests to deploy web shells, enabling reconnaissance, credential theft, and lateral movement—culminating in ransomware deployment with .x2anylock encrypted files and data exfiltration via RClone.

• Early activity in June 2025 marked Warlock’s debut on underground forums, where it claimed multiple attacks—approximately half against government agencies in Portugal, Croatia, and Turkey.

Introduction

A new adversary group, Warlock, has rapidly risen to prominence in 2025, evolving from a bold underground forum presence into a significant global threat. Security researchers tracking the group highlight how Warlock leverages known SharePoint vulnerabilities to breach organizations across sectors and regions.

Campaign Overview & Attack Lifecycle

• Initial Access
  Warlock exploits unpatched on-premises SharePoint servers using HTTP POST requests to upload web shells, bypassing authentication and establishing a foothold inside targeted networks.

• Privilege Escalation & Domain Compromise
  Once inside, the attackers manipulate Group Policy Objects (GPOs), activate guest accounts, and escalate privileges to gain domain-wide control.

• Execution & Evasion
  Using custom batch scripts, Warlock deploys ransomware payloads while disabling defenses. One known tool, identified as Trojan.Win64.KILLLAV.I, specifically targets and disables endpoint security products.

• Credential Theft & Lateral Movement
  The group employs Mimikatz and registry hive extraction to harvest credentials, while mapping domain trust relationships for lateral movement via SMB and RDP.

• Encryption & Exfiltration
  Files are encrypted with the extension .x2anylock, and ransom notes are dropped across systems. Data is exfiltrated using RClone, often disguised under legitimate filenames such as “TrendSecurity.exe.”

Threat Actor Profile

Warlock first announced itself in June 2025 with an attention-grabbing underground forum post: “If you want a Lamborghini, please contact me.” Within days, it had taken credit for at least 16 successful attacks across industries.

Analysts believe the group may be leveraging leaked source code from the LockBit 3.0 builder, and in some incidents, activity overlapped with techniques seen in LockBit Black campaigns. Speculation also points to possible ties or rebranding from other ransomware families such as Black Basta.

Why It Matters

• Rapid growth: Warlock escalated from forum chatter to impactful campaigns in just weeks.

• Defense evasion: By using standard Windows tools and disabling security software, detection and response become significantly harder.

• Patch urgency: Despite available fixes, many organizations left SharePoint servers exposed, highlighting persistent patch management challenges.

Recommendations for Defenders

• Patch immediately: Apply updates for CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 across all SharePoint environments.

• Monitor for unusual GPO changes: Unauthorized policy edits and guest account activations are red flags.

• Restrict lateral movement: Limit SMB and RDP use, enforce least-privilege access, and segment networks.

• Strengthen endpoint detection: Watch for process-killing tools like KILLLAV and file masquerading behaviors.

• Data resilience: Maintain offline backups and test ransomware response playbooks regularly.

Conclusion

The Warlock campaign underscores how quickly new ransomware groups can rise when they weaponize unpatched infrastructure. By combining credential theft, domain compromise, and stealthy lateral movement, Warlock poses a severe threat to unprepared organizations.

For enterprises running on-premises SharePoint, the takeaway is clear: patching delays are the real vulnerability.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.