A threat actor known for deploying Warlock ransomware by exploiting vulnerabilities in on-premises SharePoint servers since mid-2025. Uses tools like Velociraptor, Cloudflare tunneling, Zoho Assist, and SSH via Visual Studio Code. Creates local and domain admin accounts and uses vulnerable driver NSecKrnl.sys to disable endpoint security.