TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security GlassWorm Malware Evolves to Hide in Dependencies GlassWorm Malware Evolves to Hide in Dependencies by Alexander Culafi Mar 16, 2026 4 Min Read Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Threat Intelligence Cyberattacks & Data Breaches Vulnerabilities & Threats Cyber Risk News Warlock Ransomware Group Augments Post-Exploitation Activities In a recent attack, the group showcased stealthier cross-network activity, thanks to its use of a new BYOVD technique and other tools. Elizabeth Montalbano , Contributing Writer March 17, 2026 4 Min Read Source: Tithi Luadthong via Alamy Stock Photo The Warlock ransomware group continues to exploit unpatched Microsoft SharePoint servers with a new focus on stealthier, more resilient post-exploitation activity, thanks to its use of a new bring your own vulnerable driver (BYOVD) technique and other strategic tools. Warlock, also tracked as Water Manaul, has maintained a consistency in its initial access method in attacks during the second half of last year, during which it primarily targeted the technology, manufacturing , and government sectors in the US, Germany, and Russia, according to researchers at Trend Micro. In activity observed earlier this year, the group pivoted to expanding its malicious activities once inside a targeted environment, according to a report published this week. "Our recent monitoring revealed that the Warlock ransomware group has enhanced its attack chain, including improved methods for persistence, lateral movement, and evasion," Trend Micro threat analysts wrote in the report. Related: China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years These methods include exploiting the Nsec driver with a new BYOVD technique as well as using the remote-access tool TightVNC and the reverse-proxy tool Yuze to conceal its malicious activity as it spreads across networks, the researchers said. These tactics are in addition to previous post-exploit tools and techniques used by the group, which included the Velociraptor digital forensics and incident response (DFIR) tool as its primary command-and-control (C2) framework, a single Cloudflare tunnel for remote access, and Rclone disguised as TrendSecurity.exe for exfiltration. The researchers noted that the expanded toolset "gives Warlock multiple redundant [C2] channels that blend with legitimate network traffic, demonstrating deliberate investment in operational resilience and detection evasion." Rapid Evolution of a Nascent Group Warlock hasn't been around very long on the ransomware scene but seems to be evolving rapidly in a short time frame, according to Trend Micro. The group made its public debut last June on the Russian cybercrime forum RAMP . It quickly took credit for more than a dozen attacks, snagging victims such as government agencies across multiple countries, as well as private sector organizations. Trend Micro researchers observed a Warlock attack in early January during which the threat actors spent 15 days inside a victim's network before executing the ransomware. The investigation tracked the earliest observed malicious activity of Warlock on the network to the SharePoint worker process (w3wp.exe) on the compromised server, suggesting that the group is continuing to exploit unpatched Microsoft SharePoint vulnerabilities on Internet-facing servers as its primary access point. Related: Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 Indeed, last year Trend Micro observed Warlock exploiting SharePoint vulnerabilities, including a set of flaws affecting on-premises servers — spoofing flaw CVE-2025-49706 , remote code execution bug CVE-2025-49704 , and related vulnerabilities CVE-2025-53770 and CVE-2025-53771 . While Warlock's post-compromise tradecraft is evolving, its initial access approach remains unchanged, which reinforces the ongoing risk posed when organizations delay patching of public-facing enterprise applications. Warlock's Post-Exploitation Activity Enhancements In the Warlock attack Trend Micro detected in January, the threat actors began to deviate from techniques seen in previous attacks to improve persistence, lateral movement, and defense evasion, according to Trend Micro. Key changes observed include silently deploying TightVNC as a Windows service via PsExec for persistent GUI-based remote access. Later in the attack, Warlock also deployed Yuze, a lightweight C-based open source reverse proxy tool used to establish SOCKS5 connections over ports 80, 443, and 53. This helps blend malicious traffic with normal network activity to help attackers evade detection. Related: Attackers Abuse LiveChat to Phish Credit Card, Personal Data The group also leveraged the BYOVD technique by exploiting a vulnerability in the NSecKrnl.sys driver to terminate security products at the kernel level, replacing the googleApiUtil64.sys driver used in earlier campaigns. This represents "a more advanced evolution of earlier driver abuse," the researchers noted. These additions complement existing tactics such as Cloudflare tunnels for C2 and Rclone for data exfiltration, forming a layered and redundant attack chain designed to survive disruption, according to Trend Micro. Defending Against Warlock Given the rapid progress of even fledgling groups such as Warlock, defenders should respond directly to their malicious activities, the researchers said. They emphasized once again the need to patch immediately any public vulnerabilities, particularly in widely used enterprise server technology such as SharePoint. "Protecting these assets and the credentials they hold is critical to preventing initial access and in impeding post-exploitation activities, such as privilege escalation and domain dominance," the researchers noted. In addition to patching , defenders can protect SharePoint and other Internet-facing assets by removing direct RDP or administrative interface exposure to the Internet and enforcing multifactor authentication (MFA) on all external access points, especially VPNs and email systems, they added. Trend Micro also advised organizations should actively monitor for abuse of legitimate administrative and remote access tools, set up detections for anomalous driver activity and kernel-level tampering, and practice consistent visibility into lateral movement and proxy-based C2 channels to defend specifically against the tactics observed in the recent Warlock attack. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. See more from Elizabeth Montalbano More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice Cybersecurity Operations Why Stryker's Outage Is a Disaster Recovery Wake-Up Call Why Stryker's Outage Is a Disaster Recovery Wake-Up Call by Jai Vijayan Mar 12, 2026 5 Min Read Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks Threat Intelligence Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats Jan 2, 2026 Cyber Risk Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult Jan 12, 2026 | 7 Min Read Endpoint Security CISOs Face a Tighter Insurance Market in 2026 Jan 5, 2026 | 7 Min Read Threat Intelligence 2026: The Year Agentic AI Becomes the Attack-Sur