Exploring Storm-2603's Previous Ransomware Operations

Aug. 1, 2025, 12:59 p.m.

Description

A focused analysis of Storm-2603, a threat actor linked to recent ToolShell exploitations alongside other Chinese APT groups, reveals their use of a custom malware C2 framework called 'ak47c2'. This framework includes HTTP and DNS-based clients. The group likely targeted organizations in Latin America and APAC in early 2025, employing tactics similar to other ransomware groups. They utilize open-source tools and a custom tool leveraging BYOVD technique to disable endpoint protections. Storm-2603 attacks involve multiple ransomware families, often deployed together through DLL hijacking. The analysis uncovers their use of LockBit Black and Warlock ransomware, as well as a custom Antivirus Terminator tool abusing a legitimate driver to kill processes.

External References

https://research.checkpoint.com/2025/before-toolshell-exploring-storm-2603s-previous-ransomware-operations/
https://otx.alienvault.com/pulse/688cb3406bad6853be31041c
Tags
ransomware
windows
lockbit
lockbit black
microsoft
april
virustotal
sharepoint
psexec
iocs
toolshell
2025-08-01
storm2603
io control
dllhijacking
warlock

Date

  • Created: Aug. 1, 2025, 12:29 p.m.
  • Published: Aug. 1, 2025, 12:29 p.m.
  • Modified: Aug. 1, 2025, 12:59 p.m.

Indicators

  • f06fe1c3e882092a23002bed3e170da7b64e6b4475acdedea1433a874b10afdf
  • f711b14efb7792033b7ac954ebcfaec8141eb0abafef9c17e769ff96e8fecdf3
  • f01675f9ca00da067bdb1812bf829f09ccf5658b87d3326d6fddd773df352574
  • eaec6b1b23c4450d1d0a7d409d3f21e8a4a171a9e9b82bb8ef2c05a2f7435e9c
  • dbf5ee8d232ebce4cd25c0574d3a1ab3aa7c9caf9709047a6790e94d810377de
  • d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d
  • ceec1a2df81905f68c7ebe986e378fec0805aebdc13de09a4033be48ba66da8b
  • c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94
  • b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0
  • aca888bbb300f75d69dd56bc22f87d0ed4e0f6b8ed5421ef26fc3523980b64ad
  • abb0fa128d3a75e69b59fe0391c1158eb84a799ddb0abc55d2d6be3511ef0ea1
  • aa25646ea17ae33285203c225386304de1fe4155be44bb86deb154b87b47e3fb
  • 8f58da414ec4cdad2f6ac86c19e0a806886c63cfdf1fbbb5a0713dce8a0164c5
  • 7c31d43b30bda3a891f0332ee5b1cf610cdc9ecf772cea9b073ac905d886990d
  • 55a246576af6f6212c26ef78be5dd8f83e78dd45aea97bb505d8cee1aeef6f17
  • 3b013d5aec75bf8aab2423d0f56605c3860a8fbd4f343089a9a8813b15ecc550
  • 257fed1516ae5fe1b63eae55389e8464f47172154297496e6f4ef13c19a26505
  • 1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192
  • 035998b724044d20d583fffa393907c7fef11ad8b93b4d423ad8cb8e53f248b7
  • 0f4b0d65468fe3e5c8fb4bb07ed75d4762e722a60136e377bdad7ef06d9d7c22
  • 24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf
  • update.updatemicfosoft.com
  • update.micfosoft.com
  • updatemicfosoft.com
  • microsfot.org
Download all indicators here!

Attack Patterns

  • Warlock
  • Lockbit Black
  • Storm-2603

Linked vulnerabilities

CVE-2025-49704

None
Published:

CVE-2025-49706

None
Published:

CVE-2025-53770

9.8
    Microsoft
  • Sharepoint Server
Published: July 20, 2025

CVE-2025-53771

7.1
    Microsoft
  • Office Sharepoint
Published: July 20, 2025