Chinese-linked threat actors behind the Warlock ransomware operation have emerged as a significant cybersecurity concern following their exploitation of a critical Microsoft SharePoint vulnerability.
The group’s sophisticated attack infrastructure, combined with evidence of historical espionage activities dating back to 2019, reveals a complex threat landscape where cybercriminal and state-sponsored operations increasingly converge.
Warlock first surfaced in June 2025, but the ransomware operation gained widespread attention in July when security researchers discovered attackers deploying it against the ToolShell zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770).
The vulnerability was actively exploited beginning July 19, 2025, by multiple Chinese-based threat actors before Microsoft released patches.
Unlike typical ransomware operations headquartered in Russia or Commonwealth of Independent States countries, Warlock appears to originate from China, marking a notable shift in the threat landscape.
The ToolShell vulnerability attracted attention from three distinct Chinese-linked threat groups simultaneously. Microsoft identified Budworm (also known as Linen Typhoon or APT27), Sheathminer (Violet Typhoon or APT31), and Storm-2603 as active exploiters of the zero-day.
Among these actors, Storm-2603 stood out by leveraging the vulnerability to deploy both Warlock and LockBit ransomware payloads. Significantly, the new Warlock operation appears completely unrelated to an older ransomware threat previously named Warlock Dark Army.
Detailed research published by CheckPoint in late July revealed that Storm-2603 employed multiple ransomware payloads, frequently bundling them together during attacks.
The group demonstrated technical sophistication through its use of DLL sideloading, a favored tactic among Chinese threat actors, and deployed a custom command and control framework internally referred to as ak47c2.
Security researchers from Palo Alto Networks Unit 42 identified the Project AK47 toolkit used by Storm-2603 (designated CL-CRI-1040), which includes a backdoor, DLL sideloading loaders, and the AK47/Anylock ransomware payload.
The group’s operational tradecraft involved leveraging the legitimate 7zip application to sideload a malicious 7z.dll loader—a technique observed across multiple attack campaigns.
Trend Micro’s analysis suggested that Warlock may represent a rebrand of the older Anylock ransomware, evidenced by the .x2anylock file extension appended to encrypted files.
Additionally, Trend researchers observed that the analyzed Warlock variant appeared to be a modified version of LockBit 3.0, indicating potential code sharing or acquisition between threat groups.
The security firm also identified possible connections to the retired Black Basta ransomware operation through similar tactics, negotiation styles, and victim selection patterns.
Historical Links to Espionage Operations
Perhaps most concerning are the connections to earlier espionage-focused activities. Both Symantec and Carbon Black investigations uncovered defense evasion tools signed with a stolen digital certificate from “coolschool” (Serial: 4deb2644a5ad1488f98f6a8d6bca1fab).
This certificate had been in use since at least 2022, linked to earlier Cobalt Strike deployments and vulnerability driver exploitation.
TeamT5 researchers previously connected the coolschool certificate to CamoFei, a Chinese APT group active since 2019 conducting espionage operations globally.
SentinelOne, which refers to the group as ChamelGang, documented attacks against critical infrastructure in the United States, Brazil, India, Russia, Taiwan, and Japan, including strikes against the Presidency of Brazil and India’s All-India Institute of Medical Sciences.
The Warlock operation represents an emerging China-based cybercrime nexus where espionage and ransomware activities intertwine.
Evidence suggests actors may operate as contractors supporting state-sponsored espionage while simultaneously conducting profitable ransomware campaigns—a hybrid model that complicates attribution and demonstrates how cybercriminal activities can effectively obscure or facilitate intelligence gathering operations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
