TREND Micro’s investigation into the Warlock ransomware group shows an expanded attack chain aimed at persistence, lateral movement and defence evasion, with new tools such as TightVNC and Yuze, plus a persistent BYOVD technique abusing the NSec driver. The group’s leak site data from June to December 2025 indicates technology, manufacturing, government as heavily targeted industries, with the US, Germany, Russia and the UK among the most affected countries.
In early January 2026 operators spent 15 days inside a victim network before deploying ransomware, while initial access continued to rely on exploiting vulnerable SharePoint servers and Windows processes, including w3wp[.]exe spawning a Cobalt Strike beacon and lacing legitimate binaries to sideload malicious code.
Warlock’s C2 channels now include Velociraptor, VS Code tunnels and Cloudflare Tunnel, supplemented by a new open-source tunnelling tool called Yuze and a Supabase-hosted MSI payload to download Velociraptor. The campaign also employs a BYOVD loader that terminates security processes at the kernel level via NSecKrnl[.]sys, and uses Group Policy to distribute run[.]dll and TrendSecurity[.]exe across SYSVOL and NETLOGON, enabling rapid enterprise-wide execution and encryption.