Warlock Ransomware Evolves: New Tools and Kernel-Level Evasion Threaten Global Sectors
Do Son 
The Warlock ransomware group (also tracked as Water Manaul) has significantly sharpened its claws. A recent deep-dive investigation by Trend Micro reveals that the group has moved far beyond its traditional playbook, integrating a lethal combination of kernel-level defense evasion and legitimate remote access tools to paralyze its victims.
While the group continues to rely on unpatched Microsoft SharePoint servers for its initial foothold, their post-exploitation behavior has undergone a radical transformation. As the Trend Micro report notes:
“Warlock’s method of initial access to victim networks has remained consistent; however, it has added new techniques to enhance its persistence, lateral movement, and defense evasion”.
In a recent incident analyzed in early January 2026, Warlock operators demonstrated remarkable patience, spending 15 days inside a victim’s network before deploying their final payload. This “dwell time” allows the group to map the network, steal credentials via DCSync attacks, and ensure their presence is redundant and resilient.
To maintain control during this period, the group has expanded its Command and Control (C&C) arsenal to include:
- TightVNC: Deployed silently as a Windows service to provide GUI-based remote access independent of their primary tunnels.
- Yuze: A new, lightweight C-based reverse proxy tool used to probe firewall egress paths by rotating through ports 80, 443, and 53.
- VS Code & Cloudflare Tunnels: Legitimate services used to create “legitimate-looking connections that blend in with developer traffic”.
The most dangerous addition to Warlock’s toolkit is a persistent Bring Your Own Vulnerable Driver (BYOVD) technique. By exploiting a vulnerability in the NSecKrnl.sys driver, the group can terminate security products at the kernel level, effectively rendering them blind.
The attackers deploy a tool (disguised as TrendSecurity.exe) that targets over 30 separate processes from major security vendors, including Trend Micro, CrowdStrike, and Microsoft.
“Once the vulnerable driver is loaded, TrendSecurity.exe leveraged it to continuously terminate security product processes at the kernel level, thereby bypassing user-mode protections“.
| Vendor | Primary Targeted Processes |
| Trend Micro |
Ntrtscan.exe, TmListen.exe, PccNTMon.exe |
| CrowdStrike |
CSFalconService.exe, CsScan.exe |
| Microsoft |
MsMpEng.exe, MpDefenderCoreService.exe |
To ensure maximum impact, Warlock weaponizes Active Directory Group Policy (GPO) for mass distribution. By staging ransomware components in the SYSVOL and NETLOGON shares, the infection occurs automatically when systems boot.
The final impact is delivered via run.dll, which executes the RunCryptor function to lock files across the enterprise. Data is exfiltrated to attacker-controlled S3 buckets using a renamed version of Rclone, disguised as TrendFileSecurityCheck.exe to blend in with legitimate backup traffic.
Data from Warlock’s leak site (June–December 2025) shows a clear focus on high-value sectors. Technology, manufacturing, government, and education were the most targeted industries, with the highest victim counts located in the US, Germany, Russia, and the UK.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
