The Warlock threat group continues to target unpatched Microsoft SharePoint servers, shifting its focus toward stealthier and more resilient post-compromise activity. This evolution includes the use of a new bring-your-own-vulnerable-driver (BYOVD) technique alongside a refined set of remote access tools.
Also tracked as Water Manaul, the group maintained a consistent initial access methodology during the second half of last year. During this period, the group primarily impacted the technology, manufacturing, and government sectors in the United States, Germany, and Russia, according to researchers at Trend Micro. In activity observed earlier this year, the group expanded its network operations once inside an affected environment.
Trend Micro threat analysts reported that the group has enhanced its sequence of actions, developing improved methods for persistence, lateral movement, and evasion. These methods include leveraging the Nsec driver for BYOVD operations, as well as using the remote-access tool TightVNC and the reverse-proxy tool Yuze to conceal unauthorized activity as it spreads across networks.
These tactics build upon previous post-compromise tools utilized by the group. Earlier campaigns relied on the Velociraptor digital forensics and incident response (DFIR) tool as a primary command-and-control (C2) framework, a single Cloudflare tunnel for remote access, and Rclone disguised as TrendSecurity.exe for data exfiltration. Researchers noted that the expanded toolset provides the group with multiple redundant C2 channels that blend with legitimate network traffic, indicating a deliberate investment in operational resilience and detection evasion.
Rapid evolution of a recent threat group
Warlock emerged relatively recently but has adapted its methodology quickly. The group made its public debut last June on the Russian cybercrime forum RAMP. It subsequently claimed responsibility for over a dozen security incidents involving government agencies across multiple countries and private sector organizations.
Trend Micro researchers analyzed an intrusion in early January where the threat actors spent 15 days inside an affected organization's network before executing the ransomware. The investigation tracked the earliest observed unauthorized activity to the SharePoint worker process (w3wp.exe) on the compromised server. This confirms the group is continuing to target unpatched Microsoft SharePoint vulnerabilities on internet-facing servers to gain initial access.
Last year, analysts observed Warlock leveraging a specific set of flaws affecting on-premises SharePoint servers. These include a spoofing vulnerability (CVE-2025-49706), a remote code execution vulnerability (CVE-2025-49704), and related vulnerabilities CVE-2025-53770 and CVE-2025-53771. While Warlock's post-compromise tradecraft is evolving, its initial access approach remains unchanged. This reinforces the necessity of timely patch management for public-facing enterprise applications.
Post-compromise methodology enhancements
In the January incident, the threat actors deviated from earlier techniques to improve persistence, lateral movement, and defense evasion. Key changes include silently deploying TightVNC as a Windows service via PsExec to establish persistent GUI-based remote access.
Later in the intrusion lifecycle, the group deployed Yuze, a lightweight C-based open-source reverse proxy tool. They used Yuze to establish SOCKS5 connections over ports 80, 443, and 53, blending unauthorized traffic with normal network activity to evade detection.
The group also utilized the BYOVD technique by targeting a vulnerability in the NSecKrnl.sys driver to terminate security products at the kernel level. This replaces the googleApiUtil64.sys driver used in earlier campaigns, representing a more advanced iteration of driver abuse. These additions complement existing tactics like Cloudflare tunnels and Rclone, forming a layered and redundant sequence of actions designed to survive defensive disruptions.
Defending against Warlock operations
Given the rapid operational progress of groups like Warlock, defenders should proactively address these specific techniques. Security researchers emphasize the need to immediately apply updates for public-facing vulnerabilities, particularly in widely used enterprise server technology such as SharePoint. Securing these assets and the credentials they hold prevents initial access and impedes subsequent activities, such as privilege escalation and domain dominance.
Security teams can further protect SharePoint and other internet-facing assets by removing direct RDP or administrative interface exposure to the internet. Enforcing multifactor authentication (MFA) on all external access points, especially VPNs and email systems, adds a critical layer of defense.
Finally, organizations should actively monitor for the abuse of legitimate administrative and remote access tools. Setting up detections for anomalous driver activity and kernel-level tampering, while maintaining consistent visibility into lateral movement and proxy-based C2 channels, will help teams defend against the specific methodologies observed in recent Warlock operations.