In July 2025, the cybersecurity landscape faced a significant disruption as Warlock ransomware actors began exploiting a critical zero-day vulnerability in Microsoft SharePoint. Identified on July 19, 2025, and tracked as CVE-2025-53770, this vulnerability became a key vector for deploying the Warlock ransomware globally.
This marked a pivotal escalation in cyber threats, combining established exploitation techniques with new malware strategies. Warlock, which first appeared in June 2025, gained prominence with the ToolShell zero-day attacks, distinguishing itself with a China-based operational framework, diverging from the usual Russian-centric ransomware operations.
Initially a localized threat, Warlock quickly evolved into a coordinated campaign, targeting diverse sectors from Middle Eastern engineering firms to U.S. financial institutions. Analysts from Symantec and Carbon Black uncovered a sophisticated operational structure behind Warlock, identified as Storm-2603 by Microsoft threat intelligence. The group used Warlock alongside other ransomware like LockBit 3.0, demonstrating a flexible and extensive cyber-attack arsenal.
Warlock’s infection mechanism showcases high technical sophistication, primarily using DLL sideloading with the legitimate 7-Zip application to execute malicious payloads. This method, often used by Chinese threat actors, evades conventional security by embedding malicious code in legitimate processes. Once active, Warlock aggressively encrypts files with the .x2anylock extension.
Researchers noted that Warlock seems to be a rebranded version of the older Anylock payload, incorporating elements from LockBit 3.0. The ransomware uses a custom command and control framework, ak47c2, for persistent communication with infected systems. Additionally, it employs custom defense evasion tools, signed with a stolen certificate, and uses Bring Your Own Vulnerable Driver techniques to disable security measures and establish control over systems.
