Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

ToolShell under siege: Check Point analyzes Chinese APT Storm-2603

Storm-2603 group exploits SharePoint flaws and uses a custom C2 framework, AK47 C2, with HTTP- and DNS-based variants named AK47HTTP and AK47DNS. Check Point Research is tracking a ToolShell campaign exploiting four Microsoft SharePoint flaws, linking it to China-nexus groups APT27, APT31, and a new cluster, Storm-2603. The researchers pointed out that Storm-2603’s goals remain […]

Storm-2603

Storm-2603 group exploits SharePoint flaws and uses a custom C2 framework, AK47 C2, with HTTP- and DNS-based variants named AK47HTTP and AK47DNS.

Check Point Research is tracking a ToolShell campaign exploiting four Microsoft SharePoint flaws, linking it to China-nexus groups APT27, APT31, and a new cluster, Storm-2603. The researchers pointed out that Storm-2603’s goals remain unclear.

Storm-2603 uses the AK47 C2 framework with two custom backdoors, respectively named AK47DNS and AK47HTTP. AK47DNS uses DNS queries to communicate with a fake C2 domain (update.micfosoft[.]com), encoding data via XOR and hex. AK47HTTP uses plain HTTP POSTs, sending XOR-encrypted JSON blobs. Both implants hide their windows, gather hostnames, and execute commands using cmd.exe, sending results back to the C2.

“Storm-2603 utilizes a custom malware Command and Control (C2) framework dubbed internally by the attacker as “ak47c2”. This framework includes at least two different types of clients: HTTP-based (dubbed by us “ak47http”) and DNS-based (dubbed by us “ak47dns”).” reads the report.

Storm-2603 deployed multiple ransomware types in recent attacks, including LockBit Black and a variant using the .x2anylock extension, linked to the Warlock group. The group employed a key tool named Antivirus Terminator, a command-line utility leveraging a signed Antiy Labs driver to kill processes. It installs a service (ServiceMouse) and uses specific IO control codes to terminate processes, delete files, or uninstall drivers, highlighting a sophisticated method to evade defenses and ensure ransomware deployment success.

Storm-2603 targeted some organizations in Latin America and APAC in the first half of 2025.

Storm-2603 uses a mix of open-source tools (masscan, WinPcap, PsExec) and custom malware like dnsclient.exe, part of the AK47 C2 framework, to gather host data and execute commands via DNS or HTTP. Microsoft linked their C2 domain to a SharePoint web shell. They also sideload DLLs through legitimate apps like 7-Zip and clink.exe to deploy Warlock and LockBit Black ransomware.

Storm-2603

In April 2025, Check Point found an MSI uploaded that deploys Warlock and LockBit ransomware and drops VMToolsEng.exe, a custom antivirus killer using a BYOVD tactic. It abuses ServiceMouse.sys, a signed driver from Chinese vendor Antiy Labs, to disable security tools. Storm-2603’s goals remain unclear, though similar ransomware use has been seen in past nation-state attacks.

“While some of the exploitation activity was tied to known Chinese APT groups, Storm-2603 stood out as a previously undocumented group linked to ransomware deployment. By examining infrastructure indicators shared in public reporting, we were able to connect this actor to earlier campaigns involving LockBit Black and Warlock/X2anylock ransomware, dating back to at least March 2025.” concludes the report. “These earlier attacks used similar infrastructure and tools, including DNS tunneling and HTTP-based backdoors. Interestingly, multiple ransomware variants were deployed in the same attack. This behavior, along with the overlap in techniques, helps us better understand how Storm-2603 operates”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Storm-2603)