Ethical Hacking News
The Storm-2603 APT group has been identified by Check Point as a sophisticated threat actor linked to Chinese-based APT groups APT27 and APT31. This group has been responsible for deploying various forms of malware, including ransomware variants such as Warlock and LockBit Black. Their use of custom C2 frameworks and evasion techniques has raised concerns among cybersecurity experts.
Storm-2603 APT group linked to China-based groups APT27 and APT31. Exploits vulnerabilities in Microsoft SharePoint for initial access. Uses custom AK47 C2 framework with HTTP-based and DNS-based clients. Utilizes XOR encryption, DLL sideloading, and antivirus killer tool to evade detection. Tactics similar to those used by nation-state actors. Linked to attacks targeting Latin America and APAC regions in 2025. Ability to adapt and evolve tactics using BYOVD tactic.
Cybersecurity experts at Check Point have recently shed light on the activities of a new, sophisticated threat actor known as Storm-2603. This Advanced Persistent Threat (APT) group has been identified as being linked to China-based APT groups APT27 and APT31, and is believed to have been responsible for deploying various forms of malware in recent attacks.
The Storm-2603 group's modus operandi involves exploiting vulnerabilities in Microsoft SharePoint to gain initial access into targeted organizations. They also utilize a custom Command and Control (C2) framework dubbed AK47 C2, which features two different types of clients: HTTP-based (dubbed AK47HTTP) and DNS-based (dubbed AK47DNS).
The AK47 C2 framework is notable for its use of XOR encryption to encode data, as well as its ability to sideload DLLs through legitimate apps like 7-Zip and clink.exe. This allows the group to deploy ransomware variants such as Warlock and LockBit Black with relative ease.
One of the most striking aspects of the Storm-2603 group's tactics is their use of a custom antivirus killer tool, which abuses ServiceMouse.sys, a signed driver from Chinese vendor Antiy Labs, to disable security tools. This allows them to maintain a high level of stealth and evade detection.
The group has been linked to attacks targeting organizations in Latin America and APAC regions, with the first half of 2025 seeing notable activity. In some cases, they have also employed DNS tunneling and HTTP-based backdoors to communicate with their C2 servers.
It is worth noting that while the Storm-2603 group's goals remain unclear, their tactics are reminiscent of those used by other nation-state actors. The use of similar infrastructure and tools, including DNS tunneling and HTTP-based backdoors, has helped researchers connect this actor to earlier campaigns involving LockBit Black and Warlock/X2anylock ransomware.
In April 2025, Check Point found an MSI uploaded that deployed Warlock and LockBit ransomware and dropped VMToolsEng.exe, a custom antivirus killer using a BYOVD tactic. This highlights the group's ability to adapt and evolve their tactics in response to changing security landscapes.
The revelation of the Storm-2603 APT group adds another layer of complexity to the global cybersecurity landscape, as threat actors continue to push the boundaries of what is possible with malware and C2 frameworks. As researchers and security professionals, it is essential that we stay vigilant and adapt our defenses in response to emerging threats like this.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Storm-2603-APT-Group-Unpacking-the-Tools-and-Tactics-of-a-Sophisticated-Chinese-Threat-Actor-ehn.shtml
https://securityaffairs.com/180657/apt/toolshell-under-siege-check-point-analyzes-chinese-apt-storm-2603.html
Published: Fri Aug 1 07:08:16 2025 by llama3.2 3B Q4_K_M
