An emergent strain of ransomware known as Warlock – which was linked to multiple attacks orchestrated via vulnerabilities in on-premise Microsoft SharePoint Server instances during the summer of 2025 – has been linked to Chinese nation-state threat actors with a high degree of certainty by researchers at Halcyon’s Ransomware Research Centre.
The SharePoint attacks arose through a vulnerability chain dubbed ToolShell, and were quickly linked to two known Chinese advanced persistent threat (APT) groups – Linen Typhoon and Violet Typhoon – by Microsoft.
At the same time, Microsoft observed an unclassified threat actor known as Storm-2603 exploiting the ToolShell vulnerabilities, and swiftly stood up a link to Warlock. By late August, Warlock’s operators had claimed a number of victims including telecoms firms Colt and Orange.
Two months on, Halcyon’s team now says that Warlock likely has ties to the Chinese APTs named by Microsoft, an assessment it has based on the gang’s early access to ToolShell, and new malware samples and technical analysis, which it claims highlights professional-grade development more consistent with well-funded state groups than criminals.
“Our new technical analysis included identifying that Warlock planned from the beginning to deploy multiple ransomware families to confuse attribution, evade detection and accelerate impact. Based on technical overlaps, Halcyon tracks Warlock as the same group as Storm-2603 – Microsoft – and Cl-CRI-1040 – Palo Alto Unit 42,” said the team.
The Halcyon team also firmed up previously suggested links to LockBit, stating that Warlock enjoyed “the distinction” of having been the final LockBit affiliate registered prior to the May 2025 data leak and had leveraged LockBit 3.0 as an operational tool and a development foundation for its own ransomware locker.
Cynthia Kaiser, senior vice-president at Halcyon’s Ransomware Research Center, said the attribution did not come out of the blue given the high-profile and widely reported nature of the Sharepoint breach.
“That said, these findings are particularly significant because it raises the concern of more ransomware attacks resulting from nation-state activity moving forward,” Kaiser told Computer Weekly. “Historically, ransomware attacks and nation-state attacks [or] espionage have had separate motivations and tactics to achieve their goals – to know that ransomware may be a runoff impact of nation-state activity puts more strain on network defenders who may not be prepared.”
In this instance, Kasier said, it was hard to pin down the precise nature of the supposed relationship – Warlock’s operators may be leveraging personal connections having worked with Chinese state cyber agents in the past, or the collaboration may be rather more directly official, possibly even directly contracted. “We would expect most of this activity had tacit, but not necessarily explicit, approval from Beijing,” she added.
New frontier
This is not necessarily the first time financially motivated Chinese cyber criminals have been allowed to operate without repercussions from the government – Kaiser cited the Hafnium attacks on Microsoft Exchange Server back in 2021 which also demonstrated a degree of overlap.
Nevertheless, Kaiser said she expected this trend to grow, and the gathering expansion of Chinese cyber espionage into adjacent areas represents a new and dangerous frontier for defenders.
“It’s important for network defenders to be cognisant of the potential for espionage campaigns to morph into ransomware attacks. Network defenders may not naturally think about ransomware when they are dealing with a nation-state attack,” said Kaiser. “What used to be binary focuses between ransomware and nation-state attacks must now be considered together. This is not just a China issue. We need to be prepared for his becoming more commonplace across the board – this is not a one-off instance.”
