A new name surfaced in Microsoft’s analysis of the ToolShell exploitation campaign earlier this year. Storm-2603. There was no history or track record. Just a cluster of activity, loosely linked to ransomware.
Now, Check Point Research has filled in some of the blanks.
Storm-2603, it turns out, was not born with ToolShell. It had been busy long before, targeting entities in Latin America and APAC. Its methods are like the hybrid DNA of advanced persistent threats and criminal ransomware crews. It moves with precision, using open-source tools and custom malware. It doesn’t bluff.
An Unknown Name, Familiar Footsteps
ToolShell is the name given to a series of Microsoft SharePoint Server vulnerabilities exploited by China-affiliated threat actors, including APT27 (Linen Typhoon) and APT31 (Violet Typhoon). But among them, Storm-2603 stood apart, an unnamed actor with links to ransomware deployments, but no clear profile.
That’s changed.
Check Point’s investigation tied the group to infrastructure used in earlier attacks. One domain, update.updatemicfosoft[.]com, stood out. It had been used since March to deliver both LockBit Black and Warlock ransomware, via custom DNS and HTTP backdoors.
What followed was a forensic trail. Dead drops in VirusTotal, open-source tools, modified drivers, and encrypted messages sent through hollowed-out DNS records.
Two Attacks, One Playbook
In April, a RAR archive named Evidencia.rar surfaced on VirusTotal. It held evidence from a likely Storm-2603 intrusion in Latin America.
The group had used familiar tools:
- masscan, for scanning IP ranges.
- PsExec, to execute remote commands.
- WinPcap, SharpHostInfo, and nxc rounded out the kit.
Then came the payloads.
One file, dnsclient.exe, was a backdoor. It spoke to its handlers over DNS. Another, bbb.msi, side-loaded ransomware. LockBit Black and Warlock, again, deployed in tandem.
In a second case, an MSI installer loaded not one but three ransomware strains. Each was delivered using DLL hijacking. A file named VMToolsEng.exe acted as an antivirus terminator, using a vulnerable signed driver (ServiceMouse.sys) to kill defenses. The tool took no prisoners. It loaded, terminated, and cleared its tracks using IO control codes known to only a few.
The Malware Framework: AK47C2
Storm-2603’s operations are tied together by a custom command-and-control framework, dubbed AK47C2. Two versions were discovered.
The first, AK47DNS, is a 64-bit backdoor that communicates over DNS. It obfuscates payloads using XOR encryption and constructs queries with fragmented data stitched into TXT record lookups. Commands are executed silently using cmd.exe /c, and results are broken into 63-byte segments before being exfiltrated via DNS.
The second variant, AK47HTTP, trades DNS for HTTP. It uses a nearly identical encryption scheme but wraps commands in JSON, which is sent via POST requests. Both implants reference development paths on a machine labeled Administrator, deep in a folder called ak47c2.
The encryption key is the same for both: VHBD@H.
The Ransomware Arsenal
Storm-2603 doesn’t rely on one strain of ransomware. It deploys several.
- LockBit Black remains a staple, delivered via hijacked DLLs.
- x2anylock, also called Warlock, uses the extension .x2anylock.
- Ransom notes are simple, functional, and nearly identical. They offer Tox IDs and ProtonMail addresses. They appear as How to decrypt my data.log or <Ransomware ID>.README.txt.
Check Point notes that these notes (and the multi-ransomware strategy) match those described in a Huntress post from June. While this kind of layering isn’t new, it’s rare. Most ransomware groups prefer singular control, while Storm-2603 appears to believe in redundancy.
The Terminator
One of the more interesting tools in Storm-2603’s arsenal is a so-called Antivirus Terminator. It’s a command-line utility that uses a third-party, signed driver to kill processes with surgical precision.
That driver (AToolsKrnl64.sys) belongs to Antiy Labs, a Chinese security vendor. The original GUI tool allowed deep process inspection. Storm-2603 turned it into a weapon.
The Terminator sets up a fake service (ServiceMouse), loads the driver, and sends IO control codes to delete files, uninstall services, and, most importantly, terminate antivirus processes. It’s not novel, but it’s effective.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.