Storm-2603 group exploits SharePoint flaws and uses a custom C2 framework, AK47 C2, with HTTP- and DNS-based variants named AK47HTTP and AK47DNS.
Check Point Research is tracking a ToolShell campaign exploiting four Microsoft SharePoint flaws, linking it to China-nexus groups APT27, APT31, and a new cluster, Storm-2603. The researchers pointed out that Storm-2603’s goals remain unclear.
Storm-2603 uses the AK47 C2 framework with two custom backdoors, respectively named AK47DNS and AK47HTTP. AK47DNS uses DNS queries to communicate with a fake C2 domain (update.micfosoft[.]com), encoding data via XOR and hex. AK47HTTP uses plain HTTP POSTs, sending XOR-encrypted JSON blobs. Both implants hide their windows, gather hostnames, and execute commands using cmd.exe, sending results back to the C2.
“Storm-2603 utilizes a custom malware Command and Control (C2) framework dubbed internally by the attacker as “ak47c2”. This framework includes at least two different types of clients: HTTP-based (dubbed by us “ak47http”) and DNS-based (dubbed by us “ak47dns”).” reads the report.
Storm-2603 deployed multiple ransomware types in recent attacks, including LockBit Black and a variant using the .x2anylock extension, linked to the Warlock group. The group employed a key tool named Antivirus Terminator, a command-line utility leveraging a signed Antiy Labs driver to kill processes. It installs a service (ServiceMouse) and uses specific IO control codes to terminate processes, delete files, or uninstall drivers, highlighting a sophisticated method to evade defenses and ensure ransomware deployment success.
Storm-2603 targeted some organizations in Latin America and APAC in the first half of 2025.
Storm-2603 uses a mix of open-source tools (masscan, WinPcap, PsExec) and custom malware like dnsclient.exe, part of the AK47 C2 framework, to gather host data and execute commands via DNS or HTTP. Microsoft linked their C2 domain to a SharePoint web shell. They also sideload DLLs through legitimate apps like 7-Zip and clink.exe to deploy Warlock and LockBit Black ransomware.
In April 2025, Check Point found an MSI uploaded that deploys Warlock and LockBit ransomware and drops VMToolsEng.exe, a custom antivirus killer using a BYOVD tactic. It abuses ServiceMouse.sys, a signed driver from Chinese vendor Antiy Labs, to disable security tools. Storm-2603’s goals remain unclear, though similar ransomware use has been seen in past nation-state attacks.
“While some of the exploitation activity was tied to known Chinese APT groups, Storm-2603 stood out as a previously undocumented group linked to ransomware deployment. By examining infrastructure indicators shared in public reporting, we were able to connect this actor to earlier campaigns involving LockBit Black and Warlock/X2anylock ransomware, dating back to at least March 2025.” concludes the report. “These earlier attacks used similar infrastructure and tools, including DNS tunneling and HTTP-based backdoors. Interestingly, multiple ransomware variants were deployed in the same attack. This behavior, along with the overlap in techniques, helps us better understand how Storm-2603 operates”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Storm-2603)