Storm-2603 Using Custom Malware That Leverages BYOVD to Tamper with Endpoint Protections

Threat Score:
71
6 articles
100.0% similarity
1 day ago

Activity Timeline

6 articles
Click to navigate
Jul 29
Jul 31
Aug 01
Aug 01
Aug 01
Aug 02
Oldest
Latest

Key Insights

1
Storm-2603 has exploited multiple critical Microsoft SharePoint vulnerabilities, including CVEs CVE-2025-49704 and CVE-2025-49706, to deploy ransomware, affecting approximately 145 organizations globally.
2
The threat actor utilizes a bespoke command-and-control framework named AK47 C2, comprising HTTP and DNS-based clients, to maintain persistent access and execute commands.
3
Analysis indicates that Storm-2603 has targeted organizations primarily in Latin America and the Asia-Pacific region, indicating a broad geographical scope of their operations.
4
Storm-2603 employs advanced techniques such as Bring Your Own Vulnerable Driver (BYOVD) to disable endpoint protections and DLL hijacking to deploy ransomware families like Warlock and LockBit.
5
The group's activities have been tracked since at least March 2025, with a notable increase in ransomware deployment tactics that blur the lines between advanced persistent threat (APT) and criminal ransomware operations.
6
Check Point Research emphasizes the sophistication of Storm-2603, citing their use of legitimate tools along with custom backdoor malware to evade detection and enhance the effectiveness of their attacks.

Threat Overview

In a significant cybersecurity development, the newly identified threat actor Storm-2603 has been linked to a series of ransomware attacks exploiting multiple vulnerabilities in Microsoft SharePoint Server, collectively referred to as 'ToolShell.' These attacks have reportedly affected around 145 organizations globally, particularly in Latin America and the Asia-Pacific region. According to Check Point Research (CPR), the group has been operational since at least March 2025, utilizing advanced techniques to bypass endpoint defenses and deploy various ransomware strains.

The vulnerabilities exploited by Storm-2603 include CVE-2025-49704 and CVE-2025-49706, among others. 'Based on VirusTotal data, Storm-2603 likely targeted some organizations in Latin America throughout the first half of 2025,' Check Point stated. The threat actor has utilized a custom command-and-control (C2) framework known as AK47 C2, which consists of both HTTP and DNS-based clients. This framework allows for persistent access and command execution, facilitating the deployment of ransomware like Warlock and LockBit.

The exploitation process involves leveraging critical vulnerabilities in SharePoint, enabling the threat actor to gain unauthorized access to systems. Storm-2603 employs Bring Your Own Vulnerable Driver (BYOVD) techniques to disable endpoint protections and uses DLL hijacking to execute ransomware. The group has also been observed using legitimate open-source tools, such as PsExec and masscan, to enhance their operational capabilities. 'Storm-2603 blurs the lines between APT and criminal ransomware operations,' noted CPR, highlighting the group's sophisticated approach.

In response to the ongoing threat, Microsoft has issued advisories regarding the vulnerabilities and urged organizations to implement necessary patches. Security teams across various sectors are on high alert, evaluating their defenses against potential intrusions. 'We are actively monitoring the situation and implementing countermeasures to safeguard our systems,' stated a CISO from a major organization affected by the attacks.

Organizations are advised to prioritize patching efforts for the affected SharePoint versions and implement robust security measures to mitigate the risk of ransomware infections. 'Immediate deployment of patches is crucial to protect against these exploits,' emphasized Check Point Research. The evolving tactics of Storm-2603 serve as a critical reminder of the importance of maintaining vigilant cybersecurity practices in the face of emerging threats.

Tactics, Techniques & Procedures (TTPs)

T1190
Exploit Public-Facing Application - Exploitation of SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706 enables unauthorized access [1][4]
T1562.001
Impair Defenses - Use of BYOVD techniques to disable endpoint protections [2][5]
T1055
Process Injection - Use of DLL hijacking to deploy ransomware [2][5]
T1071.001
Application Layer Protocol: Web Protocols - Communication through DNS-based command-and-control [1][2]
T1069
Permission Groups Discovery - Scanning for vulnerable systems using tools like masscan [2][5]
T1046
Network Service Scanning - Utilizing WinPcap for network reconnaissance [2][5]
T1059.001
Command and Scripting Interpreter: PowerShell - Deployment of custom backdoor malware [3][5]

Timeline of Events

2025-03
Evidence suggests Storm-2603 began operations, deploying ransomware against various targets [2]
2025-06
Microsoft discloses vulnerabilities in SharePoint Server as 'ToolShell' [3]
2025-07
Active exploitation of the vulnerabilities detected, leading to ransomware deployments [6]
2025-08-01
Check Point Research publishes findings on Storm-2603's tactics and the impact of their operations [1][2]

Source Citations

expert_quotes: {'CISO statements': 'Article 5', 'Check Point Research': 'Articles 1, 4'}
primary_findings: {'Details on Storm-2603 operations': 'Articles 2, 5', 'Vulnerability exploitation and impact': 'Articles 1, 4, 6'}
technical_details: {'C2 framework details': 'Articles 2, 4', 'Attack methods and tools': 'Articles 1, 2, 5'}
Powered by ThreatCluster AI
Generated 8 hours ago
Recent Analysis
AI analysis may contain inaccuracies

Related Articles

6 articles
1

Storm-2603 Using Custom Malware That Leverages BYOVD to Tamper with Endpoint Protections

Cybersecurity News 12 hours ago

A newly identified threat actor designated Storm-2603 has emerged as a sophisticated adversary in the ransomware landscape, leveraging advanced custom malware to circumvent endpoint security protections through innovative techniques. The group first gained attention during Microsoft’s investigation into the “ToolShell” campaign, which exploited multiple SharePoint Server vulnerabilities including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. Unlike established […]

Score
68
100.0% similarity
Read more
2

Storm-2603 Deploys DNS-Controlled Backdoor in Warlock and LockBit Ransomware Attacks

The Hacker News 1 day ago

The threat actor linked to the exploitation of the recently disclosed security flaws in Microsoft SharePoint Server is using a bespoke command-and-control (C2) framework calledAK47 C2(also spelled ak47c2) in its operations. The framework includes at least two different types of clients, HTTP-based and Domain Name System (DNS)-based, which have been dubbed AK47HTTP and AK47DNS, respectively, by Check Point Research. The activity has been attributed toStorm-2603, which, according to Microsoft, is

Score
62
100.0% similarity
Read more
3

Before ToolShell: Exploring Storm-2603’s Previous Ransomware Operations

Check Point 1 day ago

Key Findings Introduction Check Point Research (CPR) has been closely monitoring the ongoing exploitation of a group of Microsoft SharePoint Server vulnerabilities collectively referred to as “ToolShell.” These active attacks leverage four vulnerabilities—CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771—and are attributed to multiple China affiliated threat actors. Among the threat groups identified by Microsoft, two are known […]

Score
58
94.0% similarity
Read more
4

SharePoint Zero-Days Exploited to Unleash Warlock Ransomware

Data Breach Today UK 3 days ago

145 Organizations Compromised by China-Linked Ransomware Hackers and Others Nearly 150 different organizations' on-premises SharePoint servers have been exploited by attackers targeting the zero-day vulnerabilities now tracked as ToolShell, researchers warn. Early attacks have been attributed to China-linked groups, in some cases leading to Warlock ransomware infections.

Score
58
94.0% similarity
Read more
5

Storm-2603 Deploys Custom Malware Using BYOVD to Bypass Endpoint Protections

GB Hackers 23 hours ago

Storm-2603 Deploys Custom Malware Using BYOVD to Bypass Endpoint Protections Check Point Research (CPR) has delved into the operations of Storm-2603, a recently identified threat actor linked to Chinese advanced persistent threat (APT) groups, amid widespread exploitation of Microsoft SharePoint Server vulnerabilities known as “ToolShell.” This campaign exploits four critical CVEs CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 to facilitate intrusions, with Storm-2603 deployi

Score
56
100.0% similarity
Read more
6

ToolShell under siege: Check Point analyzes Chinese APT Storm-2603

Security Affairs 1 day ago

Storm-2603 group exploits SharePoint flaws and uses a custom C2 framework, AK47 C2, with HTTP- and DNS-based variants named AK47HTTP and AK47DNS. Check Point Research is tracking a ToolShell campaign exploiting four Microsoft SharePoint flaws, linking it to China-nexus groups APT27, APT31, and a new cluster, Storm-2603. The researchers pointed out that Storm-2603’s goals remain […]

Score
53
100.0% similarity
Read more