A sophisticated and likely China-based threat actor, tracked as Storm-2603, has emerged at the forefront of recent cyberattacks exploiting critical Microsoft SharePoint Server vulnerabilities. Leveraging flaws identified as CVE-2025-49706 and CVE-2025-49704 (collectively known as the ToolShell exploits), Storm-2603 has orchestrated a wave of attacks deploying both Warlock (a.k.a. X2anylock) and LockBit Black ransomware.
Innovative Command and Control Infrastructure
Central to these campaigns is a custom command-and-control (C2) framework dubbed AK47 C2. This platform leverages two primary client types:
- AK47HTTP: Facilitates C2 communications over HTTP.
- AK47DNS: Uses DNS tunneling (via a component named
dnsclient.exe) to discreetly communicate with domains such asupdate.updatemicfosoft[.]com.
This DNS-based method provides enhanced stealth, enabling the actor to bypass conventional network security controls.
Sophisticated Arsenal and Attack Chain
Storm-2603 employs a hybrid toolkit, seamlessly blending open-source and native Windows utilities with custom-developed malware. Key tools observed include:
- masscan (network scanning)
- WinPcap (packet capture)
- SharpHostInfo (host reconnaissance)
- nxc (custom reconnaissance)
- PsExec (lateral movement)
A notable tactic involves DLL hijacking and sideloading. Attackers drop legitimate executables (such as 7z.exe and related dynamic link libraries) and use maliciously crafted DLLs to load ransomware payloads. For LockBit Black deployment, a malicious MSI installer (bbb.msi) orchestrates the sideloading process, ensuring stealthy delivery.
The group also utilizes a “bring your own vulnerable driver” (BYOVD) approach. By leveraging a legitimate but vulnerable driver (ServiceMouse.sys from Antiy Labs) through a custom executable (VMToolsEng.exe), Storm-2603 terminates endpoint security solutions, clearing the way for ransomware execution.
Unconventional Multi-Ransomware Deployment
Unusually, Storm-2603 deploys both Warlock and LockBit Black ransomware variants in tandem within victim environments—a tactic rarely observed among established cybercriminal syndicates. This dual deployment maximizes disruption and potential financial gain from compromised organizations.
Targeting and Impact
Analysis of recent activity indicates a focus on organizations in Latin America and the APAC region during the first half of 2025. While the precise method of initial access remains under investigation, researchers have identified the use of a web shell (spinstall0.aspx) tied to compromised SharePoint infrastructure, linking back to Storm-2603’s operations.
Threat Actor Profile and Motivations
Storm-2603’s campaign straddles the line between advanced persistent threat (APT)-style espionage and financially motivated e-crime. Their proficient use of BYOVD, DLL sideloading, and customized C2 frameworks points to a highly skilled and well-resourced adversary. The actor’s motivations are unclear, potentially encompassing espionage, financial extortion, or a combination thereof.
