Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack
The Warlock ransomware group has enhanced its attack chain with improved methods for persistence, lateral movement, and evasion. Their updated toolset includes TightVNC, Yuze, and a persistent BYOVD technique exploiting the NSec driver. The group's primary targets were technology, manufacturing, and government sectors, with the US, Germany, and Russia being the most affected countries. Warlock continues to exploit unpatched Microsoft SharePoint servers for initial access, and has expanded its post-exploitation toolkit. New additions include TightVNC for persistent remote access, Yuze for establishing SOCKS5 connections, and a BYOVD technique using the NSecKrnl.sys driver to terminate security products. The group also leverages Velociraptor, VS Code tunnels, and Cloudflare Tunnel for C&C communications.
Pulse ID: 69b7e2efd7e29c4058daf6d6
Pulse Link: https://otx.alienvault.com/pulse/69b7e2efd7e29c4058daf6d6
Pulse Author: AlienVault
Created: 2026-03-16 11:01:03
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CandC #Cloud #CyberSecurity #Germany #Government #InfoSec #Manufacturing #Microsoft #OTX #OpenThreatExchange #RansomWare #Russia #VNC #bot #socks5 #AlienVault
Synchron
Patchday Robot
AAPL Ch.
Forum ubuntuusers
vnclotto_misentropic
Patrick
OTX Bot