Storm-2603 Unleashes Warlock & LockBit Ransomware with Custom AK47 C2 Framework
Attacks linked to the Storm-2603 group continue to raise serious concerns within the cybersecurity community. This relatively obscure yet well-documented group, reportedly associated with China, has been implicated in the exploitation of recently discovered vulnerabilities in Microsoft SharePoint Server — CVE-2025-49706 and CVE-2025-49704 — collectively referred to as ToolShell. The primary objective of these attacks has been the deployment of the Warlock ransomware (also known as X2anylock), but the scale of the operation extends far beyond this.
According to analysts at Check Point Research, Storm-2603 leverages a proprietary command-and-control infrastructure known as AK47 C2. This modular C2 framework comprises at least two clients: the HTTP-based AK47HTTP and the DNS-based AK47DNS. Both components execute commands via the command line of an infected device, with data transmitted through HTTP responses or DNS queries.
The command delivery technique is particularly notable: on the compromised machine, “cmd.exe” is launched, and the data is interpreted from an external channel. One of the identified executables — “dnsclient.exe” — functions as a custom backdoor communicating through a spoofed domain, “update.updatemicfosoft[.]com.” The server-side infrastructure is the same as that used to activate the web shell “spinstall0.aspx,” referenced in Microsoft’s reports.
While access to targeted systems is presumed to occur via SharePoint, the exact vector of initial compromise remains unclear. What is known is that the attackers employ a diverse array of tools, combining legitimate Windows components with widely used open-source utilities. Their toolkit includes masscan, WinPcap, SharpHostInfo, nxc, and PsExec, alongside additional malicious modules disguised as benign installers.
For example, modified builds of 7-Zip, masquerading under “7z.exe” and “7z.dll,” are used to load malicious libraries and subsequently deploy Warlock. Another case involves the file “bbb.msi,” which utilizes “clink_x86.exe” for sideloading “clink_dll_x86.dll,” triggering the activation of LockBit Black. Moreover, in April 2025, VirusTotal registered another MSI installer combining multiple malicious functions: deploying both ransomware families and introducing a dedicated antivirus-killer utility.
This component, dubbed “VMToolsEng.exe,” employs the BYOVD (Bring Your Own Vulnerable Driver) technique, enabling attackers to load drivers with known vulnerabilities to disable security defenses. Notably, the driver “ServiceMouse.sys,” developed by the Chinese firm Antiy Labs, has been used in these attacks.
The geographic scope of Storm-2603’s operations is equally striking. Check Point’s findings indicate that during the first half of 2025, the group actively conducted campaigns not only in the Asia-Pacific region but also in Latin America. The combination of targeting strategies, as well as the simultaneous deployment of two distinct ransomware families — LockBit Black and Warlock — suggests an unconventional playbook and a hybrid motivation.
It remains uncertain whether Storm-2603 is driven primarily by financial incentives or acting on behalf of a state. However, its blend of tactics — merging techniques typical of cybercriminal enterprises with those associated with cyber-espionage — creates the impression of a hybrid threat. Increasingly, such operations defy clear categorization between APT campaigns and cybercrime, occupying a gray zone marked by high technical sophistication and ambiguous objectives.
