A new strain of ransomware known as Warlock has been linked to numerous attacks orchestrated through vulnerabilities in on-premises instances of Microsoft SharePoint Server. summer 2025 – has been linked to Chinese nation-state threat actors with a high degree of confidence by researchers from the Halcyon Ransomware Research Center.
The SharePoint attacks originated through a chain of vulnerabilities dubbed ToolShell and were quickly linked to two prominent Chinese advanced persistent threat (APT) groups – Linen Typhoon and Purple Typhoon – from Microsoft.
At the same time, Microsoft noticed an unclassified attacker known as Storm-2603 exploiting ToolShell vulnerabilities. and quickly a reference to Warlock arose. By the end of August, Warlock operators reported several casualties. including telecommunications companies Colt and Orange.
Two months later, the Halcyon team is now saying that Warlock is likely linked to Chinese APTs named by Microsoft. That assessment is based on the gang's early access to ToolShell, as well as new malware samples and technical analysis that it says highlights professional-grade development more in line with well-funded government groups than criminals.
“Our new technical analysis included establishing that Warlock planned from the outset to deploy multiple families of ransomware to obfuscate attribution, evade detection, and accelerate impact. Based on the technical match, Halcyon tracks Warlock as the same group as Storm-2603 (Microsoft) and Cl-CRI-1040 (Palo Alto Unit 42),” the team said.
The Halcyon team also confirmed previously proposed links to LockBit, saying that Warlock had a “difference” from being LockBit's last partner. registered before data breach in May 2025 and used LockBit 3.0 as an operational tool and basis for developing its own ransomware repository.
Cynthia Kaiser, senior vice president at ransomware research center Halcyon, said the allegation did not come out of the blue given the high-profile and widely publicized nature of the Sharepoint hack.
“However, these findings are particularly important because they raise concerns about an increase in ransomware attacks as a result of continued nation-state activity,” Kaiser told Computer Weekly. “Historically, ransomware attacks and attacks on nation states [or] Espionage has had different motives and tactics to achieve its goals – the realization that ransomware can be the result of nation-state activity puts additional strain on network defenders who may be unprepared.”
In this case, Kasier said, it was difficult to determine the exact nature of the alleged relationship: Warlock operators may be using personal connections having worked with Chinese state cyber agents in the past, or the collaboration may be more formal, perhaps even under a direct contract. “We expect that much of this activity has received tacit, but not necessarily explicit, approval from Beijing,” she added.
New frontier
This is not necessarily the first time that financially motivated Chinese cybercriminals have been allowed to operate without any government repercussions – Kaiser cited Hafnium attacks on a Microsoft Exchange server back in 2021 which also showed some degree of duplication.
However, Kaiser said she expects the trend to intensify, and the growing expansion of Chinese cyber espionage into surrounding areas represents a new and dangerous frontier for human rights activists.
“It's important for network defenders to recognize that espionage campaigns can escalate into ransomware attacks. Network defenders may not naturally think about ransomware when they're dealing with a nation-state attack,” Kaiser said. “What used to be a binary focus between ransomware and nation-state attacks now needs to be looked at together. This is not just a Chinese problem. We need to be prepared for it to become more common across the board – this is not an isolated incident.”
