Researchers at Trend Micro say that Warlock, also known as Water Manaul, has kept the same way of getting into systems during attacks in the second half of last year. During that time, it mostly went after the technology, manufacturing, and government sectors in the US, Germany, and Russia. A report that came out this week says that the group changed its focus to spreading its harmful activities once it got into a targeted environment.

Trend Micro threat analysts wrote in the report, "Our recent monitoring showed that the Warlock ransomware group has improved its attack chain, including better ways to stay in place, move sideways, and avoid detection."

Hackers Attack Cybersecurity Company Outpost24 in a 7-Stage Phish Some of these methods are using the Nsec driver with a new BYOVD technique and the remote-access tool. The researchers said that the malware used TightVNC and the reverse-proxy tool Yuze to hide its bad behavior as it spread across networks. The group has used other post-exploit tools and techniques before, such as the Velociraptor digital forensics and incident response (DFIR) tool as its main command-and-control (C2) framework, a single Cloudflare tunnel for remote access, and Rclone disguised as TrendSecurity.exe for exfiltration.

The researchers said that the expanded toolset "gives Warlock multiple redundant [C2] channels that blend with legitimate network traffic, showing that they are deliberately investing in operational resilience and detection evasion." ## Rapid Evolution of a New Group Trend Micro says that Warlock, a new group on the ransomware scene, hasn't been around for very long but is growing quickly. Last June, the group made its first public appearance on the Russian cybercrime forum RAMP.

It quickly claimed responsibility for more than a dozen attacks, including ones on government agencies in many countries and private companies.

Related: China-Nexus hackers have been hiding out in Southeast Asian military groups for years. ## Improvements to Warlock's activities after exploitation During the Warlock attack Trend Micro found that the threat actors started using different methods in January to make their attacks last longer, move sideways, and avoid detection. One of the most important changes is that TightVNC is now silently installed as a Windows service through PsExec, which allows for persistent GUI-based remote access.

Warlock also used Yuze, a lightweight C-based open source reverse proxy tool that sets up SOCKS5 connections over ports 80, 443, and 53, later in the attack. This makes it harder for attackers to be found by mixing bad traffic with normal network activity.

Related: What We Learned About Olympic Cybersecurity From Paris 2024 to Milan Cortina 2026 The group also used the BYOVD method to end security products at the kernel level by taking advantage of a flaw in the NSecKrnl.sys driver. This driver replaced the googleApiUtil64.sys driver that had been used in earlier campaigns. The researchers said that this is "a more advanced evolution of earlier driver abuse."

Trend Micro says that these new techniques work with old ones like Cloudflare tunnels for C2 and Rclone for data exfiltration to create a layered and redundant attack chain that can withstand disruption. ## How to Fight Warlock The researchers said, "Protecting these assets and the credentials they hold is very important to stopping initial access and making it harder for attackers to do things like privilege escalation and domain dominance."

Trend Micro also said that businesses should keep an eye out for abuse of legitimate administrative and remote access tools, set up detections for strange driver activity and kernel-level tampering, and make sure they can always see lateral movement and proxy-based C2 channels to protect themselves against the tactics used in the recent Warlock attack.