CyberSecurityBoardThreat Intel · CVEs · Products
Attack Groups

Storm-2603: Threat Actor Deploying Warlock Ransomware via SharePoint Exploits

July 2, 2026

A threat actor known for deploying Warlock ransomware by exploiting vulnerabilities in on-premises SharePoint servers since mid-2025. Uses tools like Velociraptor, Cloudflare tunneling, Zoho Assist, and SSH via Visual Studio Code. Creates local and domain admin accounts and uses vulnerable driver NSecKrnl.sys to disable endpoint security.