Emerging Threat Actor: Warlock Ransomware

The Warlock ransomware operation emerged in June 2025 through a Russian cybercrime forum and is linked to China-based actor Storm-2603, with at least 11 confirmed incidents since mid-July. The group exploits Microsoft SharePoint zero-day vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771) to deploy web shells, extract credentials, and move laterally before deploying ransomware via Group Policy modifications. Warlock employs double-extortion tactics, claiming responsibility for 19 victims across government, finance, manufacturing, and technology sectors within its first month. Microsoft reported that Warlock compromised over 400 SharePoint servers across 148 organizations within weeks, making it one of 2025’s most closely watched ransomware threats.​​​​​​​​​​​​​​​​