Threat Research

WarLock Hits Colt via SharePoint Zero Day

Securonix
WarLock Hits Colt via SharePoint Zero Day

A Remote Code Execution (RCE) exploit — CVE-2025-53770, known as the ToolShell zero-day — was used via SharePoint_FileStorage.dll to gain SYSTEM privileges on Colt Technology Services’ public SharePoint, enabling deployment of the WarLock toolkit and rapid lateral movement. The actor used ToolShell.exe and other LOLBins to evade EDR, staged C2 at cnkjasdfgd.xyz, and deployed WarLock ransomware across multiple internal servers. #CVE-2025-53770 #WarLock #cnkjasdfgd.xyz

Keypoints

  • An RCE in SharePoint_FileStorage.dll (CVE-2025-53770) was exploited over the RPC interface to execute arbitrary shellcode as SYSTEM on Colt’s public SharePoint instance.
  • The attacker delivered a 64-bit toolkit (ToolShell.exe) and used a PowerShell one-liner to download the WarLock loader from cnkjasdfgd.xyz.
  • Privilege escalation and lateral movement used LDAP enumeration, weak SID-based ACLs on DFS, and psexec/SMB to distribute wl.exe to multiple hosts (colt-internalc$Wlwl.exe).
  • WarLock set persistence via registry keys (HKLMSoftwareMalwarePersistence and RegistryRunOnce) and scheduled tasks, and encrypted file shares with AES-256 affecting ~30 TB across 10+ servers.
  • Exfiltration of sensitive files (salary tables, contracts, network diagrams, emails) occurred to a public drop-site under username cnkjasdfgd before ransomware locking began; C2 used cnkjasdfgd.xyz with RSA-2048.
  • Defensive gaps included unpatched SharePoint (patch available), weak network segmentation, permissive SMB/445 access, throttled SIEM LDAP thresholds, and EDRs fooled by LOLBins and DLL injection.
  • Recommended mitigations: apply CVE-2025-53770 patch immediately, segment SharePoint admin hosts, harden EDR/SIEM rules, enforce PowerShell execution policies, and validate offline immutable backups and recovery drills.

MITRE Techniques

  • [T1203 ] Exploitation for Client Execution – Exploited CVE-2025-53770 in SharePoint_FileStorage.dll to execute arbitrary shellcode as SYSTEM: ‘an attacker could send a specially crafted HTTP request to the exposed SharePoint instance, causing the web-based management console to execute arbitrary shellcode with SYSTEM privileges.’
  • [T1105 ] Ingress Tool Transfer – Downloaded WarLock loader from external domain: ‘which then downloads the WarLock loader from an external TLD (cnkjasdfgd.xyz).’
  • [T1055 ] Process Injection (DLL Injection) – Loader hooks SharePoint_FileStorage.dll and writes a stub containing the decryption routine: ‘Hooking of SharePoint_FileStorage.dll – the loader writes a stub in the DLL folder that contains the decryption routine.’
  • [T1078 ] Valid Accounts / Use of LOLBins – Used ToolShell.exe and psexec as LOLBins to masquerade and pivot: ‘Use of in-house crafted LOLBins—toolShell.exe was added to their suite of tools.’ and ‘uses psexec as a LOLBin to pivot onto workstation services.’
  • [T1021 ] Remote Services (SMB/RDP) – Lateral movement via SMB/445 and RDP tunnels to copy wl.exe to internal shares: ‘The attacker establishes RDP tunnels via SMB port 445, copying the WarLock binary to colt-internalc$Wlwl.exe across multiple hosts.’
  • [T1490 ] Inhibit System Recovery (Data Encrypted for Impact) – WarLock encrypted file shares and changed NTFS permissions removing read access: ‘WarLock drops a PowerShell script that locks all file shares, sets NTFS permissions to remove all read access, and begins encrypting files with a 256-bit AES cipher.’
  • [T1041 ] Exfiltration Over C2 Channel – Data packaged and uploaded to a public drop-site; C2 over HTTPS to cnkjasdfgd.xyz with embedded RSA-2048: ‘The script opens a reverse shell to cnkjasdfgd.xyz over HTTPS.’ and ‘The sample was uploaded to a publicly accessible drop-site under the username cnkjasdfgd.’
  • [T1547 ] Boot or Logon Autostart Execution (Registry Run Keys) – Persistence via registry keys and RunOnce pointing to wl.dll/powershell: ‘WarLock sets registry keys HKLMSoftwareMalwarePersistence and modifies the Windows task scheduler … RegistryRunOnce key set to C:Windowssystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy Bypass -File C:WindowsSystem32wl.dll.’
  • [T1033 ] System Owner/User Discovery (LDAP Enumeration) – Enumerated domain controllers and internal DFS via LDAP to discover weak ACLs: ‘the attacker enumerates domain controllers using LDAP calls, discovers weak SID-based ACLs on the internal DFS root.’

Indicators of Compromise

  • [File names ] Malicious binaries and DLLs observed – ToolShell.exe, wl.exe, wl.dll.
  • [Registry ] Persistence and autorun indicators – HKLMSoftwareMalwarePersistence; HKCUSoftwareMicrosoftWindowsCurrentVersionRun; RegistryRunOnce pointing to wl.dll.
  • [Command lines / Processes ] Suspicious PowerShell usage – powershell -ExecutionPolicy Bypass -File C:WindowsTemppayload.ps1 (observed as unexpected PowerShell processes).
  • [Domains ] C2 and loader host – cnkjasdfgd.xyz, *.cnkjasdfgd.xyz (used for downloading loader and C2 over HTTPS).
  • [Network / Shares ] SMB lateral movement targets – colt-internalc$Wlwl.exe and SMB traffic from the public SharePoint front-end/internal compromised workstation to internal IPs.

Read more: https://www.thehackerwire.com/warlock-hits-colt-via-cve%E2%80%912025%E2%80%9153770-sharepoint-exploit/