Tag: Storm-2603
-
Shadows in the Server: How the Warlock Group Weaponized a “Forgotten” VM to Breach SmarterTools
SmarterTools has disclosed a comprehensive retrospective regarding a recent infiltration of its infrastructure, meticulously delineating the adversaries’ entry vector and their subsequent maneuvers. The incursion originated from a solitary, neglected virtual mail server that had remained unpatched for an extended duration—a critical oversight that served as the primary gateway for the assault. According to corporate…
-
Ransomware Group Storm-2603 Abuses Velociraptor for Stealthy LockBit/Babuk Attacks
Attackers have begun abusing the DFIR tool Velociraptor to stage ransomware deployments of LockBit and Babuk. Cisco Talos attributes these campaigns to a cluster known as Storm-2603, believed to operate from China. Analysts report the adversaries leveraged an outdated Velociraptor build vulnerable to privilege escalation — CVE-2025-6264 (CVSS 5.5) — to obtain full control of…
-
Storm-2603 Unleashes Warlock & LockBit Ransomware with Custom AK47 C2 Framework
Attacks linked to the Storm-2603 group continue to raise serious concerns within the cybersecurity community. This relatively obscure yet well-documented group, reportedly associated with China, has been implicated in the exploitation of recently discovered vulnerabilities in Microsoft SharePoint Server — CVE-2025-49706 and CVE-2025-49704 — collectively referred to as ToolShell. The primary objective of these attacks…
-
SharePoint Under Siege: China-Linked Storm-2603 Unleashes Warlock Ransomware After Zero-Day Exploitation
The wave of attacks targeting vulnerabilities in Microsoft SharePoint continues to escalate, reaching levels of sophistication and scale not witnessed since the mass infections orchestrated by LockBit. According to Microsoft, the breaches are attributed to Storm-2603, a threat group with ties to China. Their latest tactic involves deploying the Warlock ransomware onto victim servers following…
-
Microsoft Confirms China-Backed APTs Actively Exploiting SharePoint Zero-Days (CVE-2025-53770, -53771)
Microsoft has confirmed that three China-linked threat groups were behind the recent wave of attacks targeting on-premises SharePoint Server installations. According to the company’s report, since early July, the vulnerabilities identified as CVE-2025-53770 and CVE-2025-53771 have been actively exploited by the adversarial groups known as Linen Typhoon (APT27), Violet Typhoon (APT31), and Storm-2603. All three…