THE Warlock ransomware group is expanding its post-exploitation activity to be more stealthy and resilient, using a new BYOVD technique and other strategic tools after gaining access by exploiting unpatched SharePoint servers, according to Trend Micro threat analysts.
The group, also tracked as Water Manaul, has previously focused on initial access methods in the US, Germany, and Russia, but observations from early January show it pivoting to expand activities inside targets, including improved persistence, lateral movement, and evasion. Key changes include silently deploying TightVNC as a Windows service via PsExec for GUI-based remote access, and using Yuze, a lightweight reverse proxy tool, to establish SOCKS5 connections and blend traffic with normal network activity.
They also leverage a NSecKrnl[.]sys driver vulnerability with BYOVD to terminate security products at kernel level, replacing the googleApiUtil64[.]sys driver, forming a more advanced driver abuse evolution. The group continues to rely on Cloudflare tunnels for C2 and Rclone for exfiltration, building a layered, redundant attack chain aimed at surviving disruption.
Earlier campaigns included exploiting SharePoint vulnerabilities, including CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771, with activity dating back to last year, and Trend Micro notes that the post-exploitation tradecraft is continuing to evolve while initial access remains through unpatched public-facing enterprise apps.