The recently uncovered Warlock ransomware campaign showcases a troubling shift among Chinese threat actors toward direct financial and disruptive cybercrime operations.
Emerging in June 2025, Warlock gained attention after being used to exploit the ToolShell zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770). Security vendors now believe that the group behind Warlock has deep roots in earlier espionage-linked activity dating as far back as 2019.
Exploiting CVE-2025-53770 and DLL Sideloading Tactics
Researchers first detected Warlock after Microsoft confirmed that three China-linked groups, Budworm (APT27), Sheathminer (APT31), and Storm-2603, were exploiting the SharePoint vulnerability to deploy payloads.
Storm-2603 stood out by using the exploit to install both Warlock and LockBit ransomware variants. Analysts concluded that Warlock was developed or repurposed by Storm-2603, an actor with a history of combining cyberespionage and financially driven campaigns.
Check Point’s July research indicated the attackers used a custom command-and-control framework called ak47c2, along with advanced DLL sideloading techniques.
The loaders were embedded within legitimate binaries such as 7z.exe, which dynamically loaded a malicious 7z.dll module a common tactic among Chinese APTs to evade detection.
Further analysis from Palo Alto’s Unit 42 revealed the use of a ransomware toolkit dubbed Project AK47, which included loaders, backdoors, and an encryptor previously identified as AK47/Anylock.
Trend Micro’s investigation in August 2025 found encrypted files appended with the “.x2anylock” extension, reinforcing the theory that Warlock is a rebranded version of Anylock, itself derived from LockBit 3.0 code.
Forensic examination showed structural similarities between Warlock and older ransomware families like Black Basta, suggesting code repurposing or underground affiliate collaboration.
Evidence of Long-Term Operations
Additional findings link Warlock to historical espionage campaigns. Symantec and Carbon Black tracked the use of a BYOVD (Bring Your Own Vulnerable Driver) technique, which leveraged a compromised Baidu antivirus driver signed with a stolen “coolschool” certificate (Serial: 4deb2644a5ad1488f98f6a8d6bca1fab).
This same certificate appeared in malware samples as early as 2022, connected to a Chinese APT group known as CamoFei (or ChamelGang), which previously targeted governments and healthcare sectors in Asia and South America.
These overlaps suggest that Warlock’s operators may be long-standing contractors within the Chinese cyber ecosystem, now shifting to ransomware deployment as their primary profit model.
Organizations running on-premises SharePoint servers are strongly urged to patch CVE-2025-53770 immediately and monitor for DLL sideloading activity involving legitimate executables like 7zip or MSI-based installers.
The group’s hybrid approach, merging espionage-grade stealth with organized ransomware operations, highlights the growing convergence between state-sponsored and financially motivated threat actors.
Additional detection signatures and mitigations are available via the latest Symantec Protection Bulletin.
Indicators of Compromise
9d52af33c05ea80f9bc47404b02ace4e16203dd81aef9021924885a6bff1d3c1 – Loader (7z.dll)
15649e4d246fe6d03dc75ecb4cabe5d1f8723519ed8dd3176e1a97325e827daf – Loader (7z.dll) 24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf – Curl Backdoor
f6ee01303cf1d68015eee49f7dc7f26151a04ae642a47e49c70806931ce652d3 – Vulnerable driver
edcf76600cd11ef7d6a5c319087041abc604e571239fe2dae4bca83688821a3a – LockBit 3.0
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
