Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack

The Warlock ransomware group has enhanced its attack chain with improved methods for persistence, lateral movement, and evasion. Their updated toolset includes TightVNC, Yuze, and a persistent BYOVD technique exploiting the NSec driver. The group's primary targets were technology, manufacturing, and government sectors, with the US, Germany, and Russia being the most affected countries. Warlock continues to exploit unpatched Microsoft SharePoint servers for initial access, and has expanded its post-exploitation toolkit. New additions include TightVNC for persistent remote access, Yuze for establishing SOCKS5 connections, and a BYOVD technique using the NSecKrnl.sys driver to terminate security products. The group also leverages Velociraptor, VS Code tunnels, and Cloudflare Tunnel for C&C communications.

Pulse ID: 69b7e2efd7e29c4058daf6d6
Pulse Link: https://otx.alienvault.com/pulse/69b7e2efd7e29c4058daf6d6
Pulse Author: AlienVault
Created: 2026-03-16 11:01:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CandC #Cloud #CyberSecurity #Germany #Government #InfoSec #Manufacturing #Microsoft #OTX #OpenThreatExchange #RansomWare #Russia #VNC #bot #socks5 #AlienVault