Threat ActorStorm-2603
Description
Storm-2603 is a possible China-based threat actor that attracted attention for its sophisticated and financially motivated cyberattacks. The group is most recognized for its use of ToolShell, an exploit chain that leverages multiple vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771), to achieve unauthorized access to on-premises Microsoft SharePoint servers in July 2025.
The group’s tactics blend state-sponsored espionage techniques with cybercrime methods, using DLL-sideloading, DLL-hijacking, the AK47 C2 framework, and the BYOVD (Bring Your Own Vulnerable Driver) to evade detection. Storm-2603 is also known to deploy ransomware such as Warlock, LockBit Black (LockBit 3.0), and AK47 ransomware (X2ANYLOCK ransomware) for financial gain.
Aliases
- CL-CRI-1040
- Storm-2603
Common Vulnerabilities and Exposures
Targeted Industries
- Critical infrastructure
- Education
- Government
- Telecommunications
Objectives
Financial Gain
Known Tools Used
- AK47 Ransomware (X2ANYLOCK Ransomware)
- AK47HTTP backdoor
- Ak47c2
- Antivirus Terminator
- IIS backdoor
- LockBit Black ransomware (LockBit 3.0)
- masscan
- nxc
- PsExec
- PyPyKatz
- SharpHostInfo
- Warlock ransomware
- WinPcap
Known Infection Vectors
- Zero-Day
- Known Exploited Vulnerabilities
References
Inside The ToolShell Campaign (Fortinet)
https://www.fortinet.com/blog/threat-research/inside-the-toolshell-campaign
Microsoft SharePoint Zero-day Attack (Fortinet)
https://www.fortiguard.com/outbreak-alert/microsoft-sharepoint-zero-day
