Do Son 
Antivirus Terminator supported arguments when run without parameters | Image: Check Point
Check Point Research (CPR) has detailed a previously undocumented Chinese-affiliated threat actor—Storm-2603—linked to aggressive campaigns exploiting Microsoft SharePoint vulnerabilities. This group has not only weaponized multiple zero-day exploits but also introduced a bespoke command-and-control (C2) framework and a disturbing strategy of deploying multiple ransomware strains in a single attack.
Storm-2603 was first flagged during investigations into the ToolShell campaign, a wave of attacks exploiting vulnerabilities in Microsoft SharePoint servers, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. While some activity was tied to known APTs like APT27 (Linen Typhoon) and APT31 (Violet Typhoon), Storm-2603 emerged as a new, highly adaptive player.
“Microsoft linked this cluster’s activity to potential ransomware deployment, but was unable to assess the group’s objectives,” CPR noted, leading to further investigation.
One of the group’s standout tools is a custom-built malware C2 suite internally named AK47C2, which includes two distinct backdoors:
- ak47dns (DNS-based)
- ak47http (HTTP-based)
The AK47DNS variant is a stealthy backdoor that communicates using encoded DNS TXT records. The backdoor hides its console, gathers the host’s computer name, and crafts XOR-encrypted messages prefixed with unique session IDs. These messages are embedded within DNS queries to the malicious domain update.micfosoft[.]com.
“Each element… is XOR-encoded with the ASCII key ‘VHBD@H’, converted to hexadecimal, and concatenated with dots,” CPR explained.
Meanwhile, AK47HTTP communicates over plain HTTP, transmitting XOR-encrypted JSON objects with task requests and responses.
Storm-2603’s campaigns showcase a rare but lethal tactic: deploying multiple ransomware strains simultaneously. These include:
- LockBit Black
- Warlock (a.k.a. x2anylock)
- Other custom payloads
In one case, a malicious MSI package deployed three ransomware families together using DLL hijacking. This tactic—seen in only a handful of attacks globally—aims to overwhelm victims and increase the likelihood of payment.
Storm-2603 doesn’t stop at infection—it actively neutralizes defenses. CPR identified a tool dubbed Antivirus Terminator, which abuses a legitimately signed driver from the Antiy System In-Depth Analysis Toolkit.
This driver, AToolsKrnl64.sys, is used by the attackers to:
- Kill AV processes via IO control code 0x99000050
- Delete files
- Uninstall security drivers
This is a textbook example of the Bring Your Own Vulnerable Driver (BYOVD) tactic, giving attackers elevated control over infected systems.
Storm-2603’s activities have been traced to campaigns across Latin America and the Asia-Pacific region in early 2025. Infrastructure such as update.updatemicfosoft[.]com was used consistently across both regions.
“The artifacts in the archive provide a look at some of the open-source tools used by the actors… including masscan, PsExec, WinPcap, and a custom DNS backdoor.”
The deployment of these tools, combined with their in-house malware, highlights Storm-2603’s hybrid approach—leveraging both open-source utilities and custom implants.
Storm-2603’s emergence signals a dangerous evolution in state-affiliated cyber warfare—one that combines sophisticated exploits, custom malware, and multi-strain ransomware strategies. Their ability to exploit Microsoft SharePoint vulnerabilities, circumvent endpoint protections, and operate covertly across continents makes them a critical threat actor to monitor in the months ahead.
Check Point Research concludes:
“This behavior, along with the overlap in techniques, helps us better understand how Storm-2603 operates.”
Related Posts:
- Microsoft: China-Backed APTs Actively Exploiting SharePoint Flaws (CVE-2025-49704 & CVE-2025-49706)
- Outdated and Unblocked: Legacy Driver Vulnerability Exploited in Widespread Attack
- CVE-2025-0289: Paragon Partition Manager Flaw Exploited in BYOVD Ransomware Attacks
- CrazyHunter Ransomware Targets Taiwan’s Critical Infrastructure
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
