Ethical Hacking News
Storm-2603's attack is a sobering reminder of the evolving threat landscape, highlighting the need for organizations to stay vigilant against complex and sophisticated attacks that are increasingly being deployed by nation-state actors.
Storm-2603 is a highly sophisticated ransomware actor linked to exploitation of Microsoft SharePoint Server security flaws The group uses a bespoke command-and-control framework called AK47 C2, comprising HTTP-based and DNS-based clients Storm-2603 has been attributed to deploying Warlock (X2anylock) and LockBit Black ransomware The threat actor likely targeted organizations in Latin America and APAC during the first half of 2025 The group's attack tools include legitimate open-source utilities and a custom backdoor using DNS for command-and-control Storm-2603's AK47 C2 framework allows it to adapt its tactics, technique, and procedures (TTPs) to suit the specific security posture of its victims The true motivations of Storm-2603 are unclear, but nation-state actors from China, Iran, and North Korea have been known to deploy ransomware on their own terms The group's use of BYOVD techniques and DLL hijacking blurs the lines between APT and criminal ransomware operations
In a recent revelation, cybersecurity experts at Check Point Research have shed light on a highly sophisticated ransomware actor known as Storm-2603. This threat actor has been linked to the exploitation of recently disclosed security flaws in Microsoft SharePoint Server, and its operations are characterized by the use of a bespoke command-and-control (C2) framework called AK47 C2.
The AK47 C2 framework is a complex entity that comprises at least two different types of clients: HTTP-based and DNS-based. The former has been dubbed AK47HTTP, while the latter has been referred to as AK47DNS by Check Point Research. This dual-client approach allows Storm-2603 to adapt its tactics, technique, and procedures (TTPs) to suit the specific security posture of its victims.
The group's activities have been attributed to Storm-2603, a suspected China-based threat actor that has leveraged the SharePoint flaws – CVE-2025-49706 and CVE-2025-49704 (aka ToolShell) – to deploy Warlock (aka X2anylock) ransomware. This attack vector is not new; however, the deployment of Warlock in tandem with LockBit Black ransomware is a relatively rare occurrence among established e-crime groups.
According to Check Point Research, Storm-2603 likely targeted some organizations in Latin America throughout the first half of 2025, in parallel to attacking organizations in APAC. The threat actor's attack tools include legitimate open-source and Windows utilities such as masscan, WinPcap, SharpHostInfo, nxc, and PsExec, as well as a custom backdoor ("dnsclient.exe") that uses DNS for command-and-control with the domain "update.updatemicfosoft[.]com."
The AK47 C2 framework plays a crucial role in Storm-2603's operations. The framework is part of the group's attack tools and alongside AK47HTTP, that's employed to gather host information and parse DNS or HTTP responses from the server and execute them on the infected machine via "cmd.exe." This indicates a level of sophistication unmatched by many traditional ransomware groups.
A key point worth mentioning here is that the aforementioned infrastructure was also flagged by Microsoft as used by the threat actor as a C2 server to establish communication with the "spinstall0.aspx" web shell. In addition to the open-source tools, Storm-2603 has been found to distribute three additional payloads:
7z.exe and 7z.dll, the legitimate 7-Zip binary that's used to sideload a malicious DLL, which delivers Warlock
bbb.msi, an installer that uses clink_x86.exe to sideload "clink_dll_x86.dll," which leads to LockBit Black deployment
Check Point said it also discovered another MSI artifact uploaded to VirusTotal in April 2025 that's used to launch Warlock and LockBit ransomware, and also drop a custom antivirus killer executable ("VMToolsEng.exe") that employs the bring your own vulnerable driver (BYOVD) technique to terminate security software using ServiceMouse.sys, a third-party driver provided by Chinese security vendor Antiy Labs.
The true motivations of Storm-2603 remain unclear at this stage, making it challenging to determine if the group is espionage-focused or driven by profit motives. However, there have been instances where nation-state actors from China, Iran, and North Korea have deployed ransomware on their own terms.
"Storm-2603 leverages BYOVD techniques to disable endpoint defenses and DLL hijacking to deploy multiple ransomware families – blurring the lines between APT and criminal ransomware operations," Check Point said. "The group also uses open-source tools like PsExec and masscan, signaling a hybrid approach seen increasingly in sophisticated attacks."
In conclusion, Storm-2603 represents a highly evolved threat actor that has been able to leverage SharePoint security flaws to deploy a sophisticated ransomware attack. Its use of the AK47 C2 framework and BYOVD techniques demonstrates a level of sophistication unmatched by many traditional e-crime groups.
Storm-2603's attack is a sobering reminder of the evolving threat landscape, highlighting the need for organizations to stay vigilant against complex and sophisticated attacks that are increasingly being deployed by nation-state actors.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Unveiling-of-Storm-2603-A-Sophisticated-Ransomware-Actor-Leveraging-DNS-Controlled-Backdoors-ehn.shtml
https://thehackernews.com/2025/08/storm-2603-exploits-sharepoint-flaws-to.html
Published: Fri Aug 1 05:45:38 2025 by llama3.2 3B Q4_K_M
