Warlock Ransomware Hits US Firms Exploiting SharePoint Zero-Day, Linked to China’s CamoFei APT

Researchers from Symantec and Carbon Black have published a detailed analysis of Warlock ransomware, a newly emerging threat that made its debut in June 2025 and rapidly gained notoriety after being deployed in attacks exploiting the ToolShell zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770).

Unlike most ransomware operations traditionally traced to Russia or Eastern Europe, Warlock stands out for its strong links to Chinese threat actors and historic overlaps with espionage-focused groups such as CamoFei (aka ChamelGang).

“Warlock is an unusual threat. Unlike many ransomware operations, which are headquartered in Russia or other countries in the Commonwealth of Independent States, Warlock appears to be used by a group based in China,” Symantec noted.

Warlock first surfaced in July 2025 when Microsoft disclosed that three China-linked actors — Budworm (APT27), Sheathminer (APT31), and Storm-2603 — had been exploiting CVE-2025-53770 as a zero-day. Symantec and Carbon Black identified Storm-2603 as the group deploying Warlock and LockBit 3.0 payloads during these attacks.

“Storm-2603 was using the exploit to deploy Warlock and another ransomware payload, LockBit,” the report stated, emphasizing the unusual coexistence of Chinese espionage operators and traditional cybercrime tactics in the same campaigns.

This finding aligns with earlier reporting from Check Point and Palo Alto Unit 42, which described Storm-2603’s “Project AK47” toolkit, containing custom loaders, DLL sideloading mechanisms, and a ransomware payload dubbed Anylock/AK47 — components now seen re-emerging in Warlock operations.

Symantec and Carbon Black observed that Warlock may represent a rebrand or hybrid variant of the Anylock ransomware, with forensic overlaps in file extension patterns and payload structure.

“In an investigation into an attack against a U.S. firm in early August 2025, we found a ransomware payload attempting to encrypt files and appending the extensions .x2anylock, but the ransom note claimed the attack had been performed by Warlock,” the report explained.

This behavior matches Trend Micro’s independent findings that Warlock appends the same .x2anylock extension, concluding it to be a rebranded variant of Anylock, possibly derived from a modified LockBit 3.0 base.

One of the most striking technical findings from the Symantec–Carbon Black investigation is Warlock’s use of a Bring Your Own Vulnerable Driver (BYOVD) tactic to disable security tools.

The attackers leveraged a stolen digital certificate issued to a fictitious developer named coolschool, which had also been used in prior Cobalt Strike and espionage-linked malware dating back to 2022.

“The attackers deployed a custom defense evasion tool, signed with a stolen digital certificate that appeared to come from a company or developer called coolschool,” the researchers wrote. It leveraged a vulnerable Baidu antivirus driver to disable security software using the Bring Your Own Vulnerable Driver technique.

The vulnerable driver, renamed googleapiutil64.sys, was originally part of Baidu’s 2016 antivirus suite and used to terminate endpoint protection services — a method previously seen in CamoFei’s (ChamelGang’s) espionage operations targeting AIIMS India and Brazilian government networks.

The reappearance of coolschool’s certificate in Warlock ransomware samples strongly suggests continuity between historic espionage campaigns and modern financially motivated attacks.

According to Symantec and Carbon Black, these overlaps trace back to TeamT5’s 2022 identification of CamoFei, a China-based threat actor active since 2019, whose arsenal included Cobalt Strike beacons, BYOVD tools, and a ransomware payload named CatB, also signed with the same certificate.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply