Full Report
The China-based actor behind the Warlock ransomware may not be a new player and has links to malicious activity dating as far back as 2019. The Warlock ransomware first appeared in June 2025 and made an impact weeks later, after attackers deploying it were discovered exploiting the ToolShell zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) on July 19, 2025. Warlock is an unusual threat. Unlike many ransomware operations, which are headquartered in Russia or other countries in the Commonwealth of Independent States, Warlock appears to be used by a group based in China. And, while its name is new, its origins appear to date back much further, with links to a diverse range of activity.
Analysis Summary
# Threat Actor: Storm-2603 (Associated with Warlock Ransomware)
## Attribution & Identity
* **Primary Attribution:** China-based actor.
* **Known Aliases/Associated Groups:** Linked to activity tracked as **Storm-2603** (by Palo Alto Unit 42 as CL-CRI-1040). Microsoft linked Storm-2603, along with Budworm (APT27/Linen Typhoon) and Sheathminer (APT31/Violet Typhoon), to the ToolShell exploitation.
* **Nature of Operation:** Appears to be a long-running group whose activities blur the line between cybercrime and state-sponsored espionage, as cybercrime is cited as a core activity, not a sideline.
## Activity Summary
The actor gained prominence in July 2025 after deploying the **Warlock ransomware** by exploiting the **ToolShell zero-day vulnerability (CVE-2025-53770)** in Microsoft SharePoint starting July 19, 2025.
* Warlock ransomware first appeared in June 2025.
* The group has operational links to malicious activity dating back to 2019.
* The group has been identified using multiple ransomware payloads, sometimes bundled.
* They were recently linked to a ransomware site named **Warlock Client**.
* The actor has been observed operating as a **LockBit 3.0 affiliate**.
* Warlock may be a rebrand of the older **Anylock** ransomware, evidenced by encrypted file extensions (.x2anylock).
* Trend Micro suggests a possible link or offshoot relationship with the **Black Basta** ransomware operation based on similarities in tactics, negotiation style, and victimology.
## Tactics, Techniques & Procedures
* **Exploitation:** Active zero-day exploitation of Microsoft SharePoint via ToolShell vulnerability (CVE-2025-53770).
* **Payload Delivery/Execution:** Extensive use of **DLL sideloading**.
* **Defense Evasion:** Use of a custom defense evasion tool signed with a stolen digital certificate from a company/developer named "coolschool" (Serial: 4deb2644a5ad1488f98f6a8d6bca1fab).
* **Defense Evasion (Kernel-level):** Employed the **Bring Your Own Vulnerable Driver (BYOVD)** technique using an old, expired Baidu anti-virus driver (SHA256: f6ee01303cf1d68015eee49f7dc7f26151a04ae642a47e49c70806931ce652d3) to disable security software.
* **Tool Usage:** Used the legitimate application **7zip (7z.exe)** to sideload a malicious loader named **7z.dll**.
* **Custom Tools:** Use of a custom Command and Control (C&C) framework allegedly called **ak47c2**. The Project AK47 toolkit included a backdoor, loaders deployed via DLL sideloading, and the **AK47/Anylock** ransomware payload.
## Targeting
* **Sectors:** Targeting reported against an **engineering company in the Middle East** and a **U.S. firm**.
* **Geography:** Activity indicated in the **Middle East** and the **U.S.**; attribution points to a **China-based** group.
* **Victims:** Unspecified U.S. firm and an engineering company in the Middle East (August 2025).
## Tools & Infrastructure
* **Malware Families/Payloads:**
* Warlock Ransomware (potential rebrand of Anylock)
* LockBit 3.0 (affiliate activity observed)
* AK47/Anylock
* Curl Backdoor
* **Loaders/Drivers/Utilities:**
* `7z.dll` (sideloaded via legitimate 7z.exe)
* Vulnerable driver (SHA256: f6ee01303cf1d68015eee49f7dc7f26151a04ae642a47e49c70806931ce652d3)
* **Infrastructure:** Custom C&C framework potentially named **ak47c2**.
## Implications
This actor represents a sophisticated threat blending ransomware operations with characteristics observed in espionage groups. The use of well-known Chinese group tactics (like DLL sideloading) alongside advanced methods (like BYOVD misuse) suggests a mature and well-resourced operation with potentially dual focuses (financial gain and cyber espionage). The potential linkage to Black Basta suggests evolving behavior or consolidation of ransomware efforts.
## Mitigations
* Immediately patch all Microsoft SharePoint installations against **CVE-2025-53770 (ToolShell)**.
* Monitor for DLL sideloading activity, especially concerning legitimate applications like 7zip launching scripts or DLLs like `7z.dll` from unusual locations.
* Implement robust defenses against **Bring Your Own Vulnerable Driver (BYOVD)** techniques, focusing on monitoring for suspicious driver loading, especially older or expired security drivers.
* Investigate potential links to the LockBit 3.0 ecosystem if encountering Warlock encryption or related artifacts, as this suggests affiliate access or shared infrastructure/TTPs.
* Review security posture for tactics similar to Anylock/Black Basta, paying attention to negotiation patterns if encryption occurs.