Exploring Storm-2603's Previous Ransomware Operations

SUMMARY :

A focused analysis of Storm-2603, a threat actor linked to recent ToolShell exploitations alongside other Chinese APT groups, reveals their use of a custom malware C2 framework called 'ak47c2'. This framework includes HTTP and DNS-based clients. The group likely targeted organizations in Latin America and APAC in early 2025, employing tactics similar to other ransomware groups. They utilize open-source tools and a custom tool leveraging BYOVD technique to disable endpoint protections. Storm-2603 attacks involve multiple ransomware families, often deployed together through DLL hijacking. The analysis uncovers their use of LockBit Black and Warlock ransomware, as well as a custom Antivirus Terminator tool abusing a legitimate driver to kill processes.

OPENCTI LABELS :

ransomware,windows,lockbit,psexec,lockbit black,microsoft,april,virustotal,sharepoint,iocs,toolshell,storm2603,io control,dllhijacking,warlock


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Exploring Storm-2603's Previous Ransomware Operations