This update expands the existing Warlock ransomware report with the latest technical, operational, and victimology insights, preserving the original structure and adding new findings from recent threat intelligence sources.

Executive Summary (Expanded)

Warlock is a rapidly maturing ransomware-as-a-service (RaaS) operation, first observed in June 2025 and closely linked to the China-based actor Storm-2603. The group is notable for its use of zero-day Microsoft SharePoint vulnerabilities, advanced web shell deployment, and double-extortion tactics. Warlock operates via a closed affiliate model, targeting high-value organizations across government, finance, manufacturing, technology, and consumer goods sectors. This update incorporates enriched indicators of compromise (IOCs), technical details, and expanded victimology from recent Microsoft and Halcyon threat intelligence.

1. Overview

• Name: Warlock Ransomware-as-a-Service (RaaS)

• First Observed: June 2025 (promoted on Russian cybercrime forums)

• Model: Closed, affiliate-based RaaS operation

• Attribution: China-based actor Storm-2603 (11+ confirmed deployments since July 2025)

• Victim Count: 19 confirmed as of late July 2025; over 400 SharePoint servers compromised across 148 organizations

Update:  

• Attribution to Storm-2603 is reinforced by direct technical evidence from Microsoft.

• Warlock’s victimology remains focused on government, finance, manufacturing, technology, and consumer goods, with a strong preference for enterprise-scale targets.

2. Tactics, Techniques, and Procedures (TTPs)

Initial Access

• Exploitation of Microsoft SharePoint zero-day vulnerabilities (ToolShell exploit chain):

• CVE-2025-49706 (spoofing)

• CVE-2025-49704 (remote code execution)

• CVE-2025-53770, CVE-2025-53771 (security bypass)

Web Shell Deployment

• Malicious web shells for persistence and payload staging:

• spinstall0.aspx, spinstall.aspx, spinstall1.aspx, spinstall2.aspx

• Hosted in the w3wp.exe (IIS worker process)

• Extraction of ASP.NET MachineKey material for further persistence

Credential Theft & Lateral Movement

• Credential harvesting via Mimikatz (LSASS memory extraction)

• Lateral movement using PsExec and Impacket

• Ransomware payload deployment via Group Policy Object (GPO) modifications

Persistence & Defense Evasion

• Scheduled tasks and abuse of IIS/.NET assemblies for persistence

• Registry modifications to disable endpoint protections (e.g., Microsoft Defender)

Data Encryption & Extortion

• Double-extortion model: rapid disruption, data exfiltration, and publication on leak sites

Update:  

• Microsoft confirms these TTPs are actively used by Storm-2603 and Warlock affiliates.

• The use of custom web shells and IIS backdoors is a distinguishing feature.

3. Indicators of Compromise (IOCs) — Enriched

Vulnerabilities

• CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771

• Update: Actively exploited for initial access; patching is critical.

Web Shells & Backdoors

• Filenames:

• spinstall0.aspx, spinstall.aspx, spinstall1.aspx, spinstall2.aspx (web shells)

• IIS_Server_dll.dll (Storm-2603 IIS backdoor)

• SharpHostInfo.x64.exe (host info collection tool)

• xd.exe (reverse proxy tool)

• debug_dev.js (web config data exfiltration)

• File paths:

• \1[5-6]\TEMPLATE\LAYOUTS\debug_dev.js (location of stolen configs)

• Update: Presence of these files in SharePoint/IIS directories is a strong compromise indicator.

File Hashes (SHA-256)

• Web shells and backdoors (examples):

• 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 (spinstall0.aspx)

• 24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf (web shell, C2 comms)

• b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0 (web shell, C2 comms)

• [Additional hashes for IIS_Server_dll.dll, SharpHostInfo.x64.exe, xd.exe, etc.]

• Update: Hashes are linked to specific malicious artifacts; further malware analysis recommended.

Domains & URLs

• c34718cbb4c6.ngrok-free[.]app/file.ps1 (PowerShell delivery via Ngrok tunnel)

• msupdate[.]updatemicfosoft[.]com (Storm-2603 C2 domain)

• update[.]updatemicfosoft[.]com (Storm-2603 C2 domain)

• Update: No active DNS records or public infrastructure found; likely ephemeral or internal-only.

IP Addresses

• 131.226.2[.]6 (post-exploitation C2)

• 134.199.202[.]205, 104.238.159[.]149, 188.130.206[.]168 (exploitation sources)

• 65.38.121[.]198 (Storm-2603 post-exploitation C2)

• 192.168.10.5 (internal artifact; private IP, not externally routable)

• Update: VirusTotal confirms 192.168.10.5 as harmless; other IPs should be monitored for outbound connections.

4. Recent Attacks & Operational Patterns

Victimology

• 19 confirmed victims (late July 2025), including government, finance, manufacturing, technology, and consumer goods

• Nearly half of initial attacks targeted government entities

Attack Timeline

• June 2025: Warlock promoted on Russian cybercrime forums

• July 2025: ToolShell exploit chain deployed; wide-scale targeting begins

• July 2025: Over 400 SharePoint servers compromised across 148 organizations

Operational Patterns

• Fast-maturing operation with high-impact zero-day exploits

• Data theft and stealthy web shell deployment are core to the attack chain

• Affiliate-based model; revenue sharing and payment structures remain unconfirmed

• Ransom demands likely tailored to victim profile; industry average for government sector is ~$2.4 million

Update:  

• Microsoft’s reporting confirms rapid escalation and broad targeting, with Storm-2603 as the primary actor.

5. Infrastructure & Attribution

Attribution

• Linked to Storm-2603 (China-based), with strong confidence from Microsoft and industry sources

• No confirmed lineage to legacy ransomware brands, though technical and extortion similarities exist (e.g., Black Basta)

Infrastructure

• No active DNS or public-facing infrastructure identified for key domains (warlock-ransomware.com, warlock-c2.top)

• Likely use of private or ephemeral infrastructure; focus should be on behavioral and endpoint indicators

Update:  

• Absence of active domains and public infrastructure confirmed via DNS, Shodan, and FOFA

• No additional domains, IPs, or campaign infrastructure discovered

6. Summary Assessment & Actionable Insights

Warlock represents a rapidly evolving, high-impact RaaS threat actor distinguished by its use of zero-day exploits, advanced credential theft, and double-extortion tactics. The group’s focus on government and enterprise targets, combined with stealthy web shell deployment and affiliate-driven operations, makes it a significant concern for defenders and risk professionals in 2025.

Actionable Insights:

• Detection: Monitor for creation and execution of the listed web shells and backdoor files on SharePoint servers; hunt for outbound connections to identified C2 domains and IPs; validate patching status for all SharePoint servers against the listed CVEs.

• Response: Treat all identified IOCs as high-priority for containment and investigation; investigate scheduled tasks, suspicious .NET assemblies, and registry modifications disabling endpoint protections.

• Attribution: Warlock activity is closely tied to Storm-2603; use this linkage for threat modeling and risk assessment.

• Infrastructure: Absence of active domains suggests use of private or short-lived infrastructure; focus on behavioral and endpoint indicators.

Defensive Recommendations:

• Apply Microsoft’s latest SharePoint security updates immediately

• Enable AMSI and Microsoft Defender Antivirus in Full Mode for SharePoint deployments

• Rotate ASP.NET machine keys and restart IIS services post-remediation

Gaps & Limitations:

• VirusTotal does not support enrichment of CVEs or filenames without hashes

• No active infrastructure found for key domains

• Internal IP and file hashes require further malware analysis for full context

• No new related entities or infrastructure discovered beyond initial IOCs

Sources:

• Microsoft Security Blog: Disrupting active exploitation of on-premises SharePoint vulnerabilities

• Halcyon Blog: Emerging Threat Actor – WarLock Ransomware (July 2025)

Conclusion:

Warlock is a sophisticated, rapidly maturing RaaS group with a clear preference for high-value, well-defended organizations, especially in government and enterprise sectors. Its operational model leverages advanced zero-day exploits and stealthy persistence mechanisms, making it a significant threat in the current ransomware landscape. Defensive strategies should prioritize patching, behavioral monitoring, and rapid response to known IOCs.

End of Update

‍