"An emergent strain of ransomware known as Warlock - which was linked to multiple attacks orchestrated via vulnerabilities in on-premise Microsoft SharePoint Server instances during the summer of 2025 - has been linked to Chinese nation-state threat actors with a high degree of certainty by researchers at Halcyon's Ransomware Research Centre. The SharePoint attacks arose through a vulnerability chain dubbed ToolShell, and were quickly linked to two known Chinese advanced persistent threat (APT) groups - Linen Typhoon and Violet Typhoon - by Microsoft."
"Our new technical analysis included identifying that Warlock planned from the beginning to deploy multiple ransomware families to confuse attribution, evade detection and accelerate impact. Based on technical overlaps, Halcyon tracks Warlock as the same group as Storm-2603 - Microsoft - and Cl-CRI-1040 - Palo Alto Unit 42,"
"The Halcyon team also firmed up previously suggested links to LockBit, stating that Warlock enjoyed "the distinction" of having been the final LockBit affiliate registered prior to the May 2025 data leak and had leveraged LockBit 3.0 as an operational tool and a development foundation for its own ransomware locker."
Warlock emerged in summer 2025, leveraging a ToolShell vulnerability chain in on-premise Microsoft SharePoint Server instances. Microsoft linked ToolShell exploitation to Chinese APTs Linen Typhoon and Violet Typhoon and observed Storm-2603 activity tied to the same chain. Warlock operators claimed victims including telecoms firms Colt and Orange by late August. Halcyon's Ransomware Research Centre associates Warlock with Chinese state-backed actors based on early ToolShell access, new malware samples, and technical overlaps indicating professional-grade development. Halcyon also found operational and developmental ties between Warlock and LockBit 3.0, including Warlock's prior LockBit affiliate registration.
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]