Threat Research

Warlock Ransomware: Old Actor, New Tricks?

Symantec
Warlock Ransomware: Old Actor, New Tricks?

Warlock emerged in June–July 2025 after being deployed via exploitation of the ToolShell Microsoft SharePoint zero-day (CVE-2025-53770) by a China-linked actor tracked as Storm-2603, which also used LockBit and DLL sideloading (7z.exe/7z.dll). Investigations tie Warlock to earlier tooling and a reused stolen certificate (coolschool) linked to long-running Chinese-affiliated groups (CamoFei/ChamelGang) and show overlaps with Anylock, LockBit 3.0, and possibly Black Basta; indicators include multiple file hashes and a vulnerable Baidu driver. #ToolShell #Storm-2603

Keypoints

  • Warlock ransomware was first observed in June 2025 and was widely deployed after exploitation of the ToolShell SharePoint zero-day (CVE-2025-53770) in July 2025.
  • Microsoft attributed exploitation of ToolShell to three China-linked actors (Budworm/APT27, Sheathminer/APT31, and Storm-2603), with Storm-2603 deploying Warlock and LockBit payloads.
  • Storm-2603 used DLL sideloading (notably 7z.exe with 7z.dll) to load loaders and ransomware, and employed a custom C2 framework referred to as ak47c2/Project AK47.
  • Multiple vendors (CheckPoint, Palo Alto Unit 42, Symantec, Carbon Black, Trend Micro) observed overlaps between Warlock, Anylock/AK47/Anylock, and modified LockBit 3.0 payloads; Trend noted .x2anylock file extensions.
  • The attackers used a stolen digital certificate (coolschool) to sign a defense-evasion tool and deployed a vulnerable Baidu AV driver (renamed googleapiutil64.sys) for BYOVD-based security disabling.
  • Telemetry links the coolschool-signed tooling back to 2022 and to groups labelled CamoFei / ChamelGang, indicating activity potentially dating to 2019 and blending espionage with ransomware operations.
  • IOCs published include multiple file hashes for loaders, defense-evasion tools, Warlock/LockBit payloads, and the vulnerable driver; Symantec Endpoint products detect and block known malicious files.

MITRE Techniques

  • [T1218] Signed Binary Proxy Execution – Attackers used the legitimate 7zip executable (7z.exe) to sideload a malicious loader (7z.dll) via DLL sideloading (“7zip (7z.exe) to sideload a loader named 7z.dll”).
  • [T1574] Hijack Execution Flow – DLL sideloading with 7z.exe/7z.dll was used to load malicious loaders and ransomware (“the group used the legitimate application 7zip (7z.exe) to sideload a loader named 7z.dll”).
  • [T1204] User Execution – Use of legitimate applications (7z.exe) to launch malicious components relied on user-facing or normal application execution paths (“used the legitimate application 7zip (7z.exe) to sideload a loader named 7z.dll”).
  • [T1078] Valid Accounts / Signed Code – Use of a stolen digital certificate (coolschool) to sign defense evasion tools and other malware (“signed with a stolen digital certificate … coolschool”).
  • [T1215] Kernel Modules and Extensions – Deployment of a vulnerable Baidu anti-virus driver (renamed googleapiutil64.sys) leveraged a driver for BYOVD to disable security software (“leveraged a vulnerable driver … to try and disable security software on infected systems using the Bring Your Own Vulnerable Driver (BYOVD) technique”).
  • [T1588] Obtain Capabilities – Use of multiple ransomware payloads and custom C2 (ak47c2/Project AK47) to deliver and manage offensive capabilities (“custom command and control (C&C) framework … called ak47c2” and “Project AK47 toolkit … included a backdoor, loaders … and a ransomware payload”).
  • [T1486] Data Encrypted for Impact – Ransomware payloads (Warlock, LockBit 3.0, Anylock variants) encrypted files and appended extensions such as .x2anylock (“observed Warlock appending encrypted files with the extension .x2anylock”).

Indicators of Compromise

  • [File Hashes] Loaders and ransomware – 9d52af33c05ea80f9bc47404b02ace4e16203dd81aef9021924885a6bff1d3c1 (7z.dll loader), 15649e4d246fe6d03dc75ecb4cabe5d1f8723519ed8dd3176e1a97325e827daf (7z.dll loader).
  • [File Hashes] Backdoors and tools – 24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf (Curl Backdoor), and 2 more defense-evasion tool hashes (e23d5cb3…, 9f2434d5…).
  • [File Hashes] Vulnerable driver – f6ee01303cf1d68015eee49f7dc7f26151a04ae642a47e49c70806931ce652d3 – Baidu AV driver renamed googleapiutil64.sys (used for BYOVD to disable security software).
  • [File Hashes] Ransomware payloads – ca2c02f592d72cafc218f4edd1ea771f8d1458cb95c2c76c3e384e63cefd1fb6 (Warlock), 24480dbe… (LockBit 3.0), and additional Warlock hashes (6feb5361…, 2c9f0f32…).
  • [Digital Certificate] Stolen signing certificate – coolschool (Serial: 4deb2644a5ad1488f98f6a8d6bca1fab) – used to sign defense evasion tools and older malware linked to CamoFei/ChamelGang.

Read more: https://www.security.com/threat-intelligence/warlock-ransomware-origins

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint