analyst @ nohacky :~/threat-actors $
cat / threat-actors / storm-2603
analyst@nohacky:~/storm-2603.html
active threat profile
type nation-state (suspected)
threat_level high
status active
origin China (medium confidence)
last_updated 2025-07-22
S26
storm-2603

Storm-2603

also known as: CL-CRI-1040 (Unit 42) GOLD SALEM (Secureworks) Warlock Group

Storm-2603 is a previously undocumented threat cluster first observed in March 2025, characterized by a dual operational model that blends financially motivated ransomware deployment with espionage-aligned access tradecraft. Confirmed by Microsoft in July 2025 as one of three China-nexus actors exploiting the critical ToolShell SharePoint vulnerability chain, the group deployed Warlock ransomware across more than 400 organizations globally within weeks of the vulnerability's public disclosure — while simultaneously stealing cryptographic machine keys for persistent post-patch access.

attributed origin China (Microsoft — medium confidence)
suspected sponsor Unknown — state-aligned or independent cybercrime (contested)
first observed March 2025 (first observed)
primary motivation Financial gain (ransomware) and/or espionage — objectives unconfirmed
primary targets Government, Critical Infrastructure, Technology, Healthcare, Telecoms
known campaigns 400+ orgs impacted (July 2025)
mitre att&ck group Unassigned
target regions North America, Europe, APAC, Latin America
threat level HIGH

Overview

Storm-2603 is a previously undocumented threat cluster that emerged in public reporting in July 2025 as one of three China-associated actors exploiting the ToolShell SharePoint vulnerability chain. Unlike the two named APTs confirmed alongside it — Linen Typhoon (APT27) and Violet Typhoon (APT31) — Storm-2603 occupies an ambiguous position in the threat landscape: its China attribution is assessed by Microsoft with only medium confidence, no formal links to known Chinese APT clusters have been established, and its objectives remain contested between financially motivated ransomware operations and espionage-aligned access tradecraft.

The group's operational history traces to at least March 2025, when Check Point and Unit 42 researchers retroactively connected the actor to earlier ransomware campaigns targeting organizations in Latin America and the Asia-Pacific region. In those pre-ToolShell operations, the group deployed LockBit Black and Warlock (X2anylock) ransomware variants together — an unusual combination not typically observed in established e-crime groups — using the custom AK47 C2 framework for command-and-control. Unit 42, tracking the cluster as CL-CRI-1040, traced the actor's origins to a former LockBit 3.0 affiliate that subsequently stood up the Warlock double-extortion leak platform under its own brand.

On July 18, 2025, Storm-2603 pivoted to large-scale exploitation of the ToolShell SharePoint vulnerabilities, deploying web shells, harvesting machine keys, and rapidly escalating to Warlock ransomware deployment across enterprise environments via Group Policy Object abuse. Microsoft publicly confirmed attribution on July 22, 2025. By that date, over 400 organizations globally had been impacted, including US federal agencies. Warlock ransomware was deployed within 60–90 minutes of initial SharePoint compromise in some documented cases.

The group's infrastructure overlaps with known Chinese APT tooling — notably the ServiceMouse.sys driver used in its BYOVD-based AV killer is associated with Chinese security vendor Antiy Labs, and an IIS backdoor used by the actor is described by WithSecure as commonly misused within Chinese-speaking developer communities — but these overlaps fall short of formal attribution to any specific state-sponsored cluster. Attribution is ongoing across multiple vendor research teams as of current reporting.

Target Profile

Storm-2603's targeting in the ToolShell campaign was opportunistic against any organization running unpatched on-premises SharePoint, but concentrated impact was observed in high-value sectors consistent with both financial and espionage motivations.

  • Government and Federal Agencies: US federal agencies including the Department of Energy's nuclear weapons agency were confirmed or reported affected. Government entities represent high-value targets for both extortion leverage and intelligence access.
  • Critical Infrastructure: Telecoms, energy, and utilities sectors targeted across Europe and North America. High-value data stores and operational sensitivity make these attractive for both ransomware monetization and espionage-adjacent access.
  • Technology and Managed Service Providers: Technology companies and service providers targeted both directly and as vectors to downstream customers.
  • Healthcare and Higher Education: Healthcare organizations and universities — sectors with high SharePoint adoption, sensitive data, and often weaker patch cadences — were among confirmed victim categories.
  • Latin America and APAC (pre-ToolShell): Prior to the July 2025 campaign, Storm-2603 primarily targeted organizations in Latin America and the Asia-Pacific region with ransomware, per Check Point's VirusTotal artifact analysis.

Tactics, Techniques & Procedures

Storm-2603's attack chain is well-documented from the July 2025 ToolShell campaign and retroactive analysis of earlier ransomware operations. The group follows a consistent, efficient post-exploitation sequence from initial web shell deployment to network-wide ransomware in under 90 minutes in some cases.

mitre id technique description
T1190 Exploit Public-Facing Application Unauthenticated remote code execution via the ToolShell chain: CVE-2025-49706 (spoofing) chained with CVE-2025-49704 (RCE), and patch bypasses CVE-2025-53770 / CVE-2025-53771. POST requests abuse the ToolPane.aspx handler to execute serialized payloads via the SharePoint IIS worker process (w3wp.exe).
T1505.003 Web Shell Deployment Deploys spinstall0.aspx (and variants spinstall1.aspx, spinstall2.aspx) to the SharePoint LAYOUTS directory for persistent command execution. AsmLoader launches shellcode within the IIS worker process or a remote process. GhostWebShell, a memory-resident ASPX shell, was also observed in related activity.
T1555 / T1003 Credential Harvesting MachineKey material stolen from ASP.NET configuration for post-patch persistent access. Mimikatz deployed to dump LSASS memory for plaintext credentials and NTLM hashes. SAM and SECURITY registry hives dumped via SecretsDump or CrackMapExec for offline cracking.
T1053 / T1543 Persistence via Scheduled Tasks and IIS Creates scheduled tasks for persistent execution. Manipulates IIS components to load malicious .NET assemblies within the IIS worker process, ensuring access survives reboots and partial remediation attempts.
T1562.001 Disable Security Tools (BYOVD) Custom AV-killer executable (VMToolsEng.exe) uses the BYOVD technique, loading ServiceMouse.sys (a driver from Chinese vendor Antiy Labs) to terminate endpoint protection processes. Microsoft Defender also disabled via Windows Registry modification through services.exe.
T1021 Lateral Movement PsExec and the Impacket toolkit (WMI-based remote execution) used to move laterally across compromised environments using harvested domain credentials. SMB used to copy payloads and tools between hosts.
T1484.001 Group Policy Object Modification Warlock ransomware distributed network-wide by modifying GPOs, pushing the payload to all reachable domain-joined endpoints simultaneously — enabling rapid, coordinated encryption across an entire environment from a single point of control.
T1572 DNS Tunneling C2 (AK47 C2) The custom AK47 C2 framework supports both HTTP and DNS-based channels. DNS queries encode commands and results using XOR with the static key "VHBD@H", hex-encoded and prepended to the C2 domain. Results over 255 bytes are fragmented across multiple queries. C2 domain update.updatemicfosoft[.]com confirmed in pre-ToolShell operations.

Known Campaigns

Documented and attributed operations linked to Storm-2603 since its first observed activity in March 2025.

ToolShell SharePoint Global Campaign July 2025

Beginning July 18, 2025, Storm-2603 exploited the ToolShell SharePoint vulnerability chain at scale, deploying web shells, stealing MachineKeys, and escalating to Warlock ransomware via GPO modification. Over 400 organizations were confirmed impacted within days, including US federal agencies (Department of Energy), European government and telecom entities, healthcare providers, and universities. Ransomware was deployed within 60–90 minutes of initial access in documented cases. Microsoft confirmed attribution on July 22, 2025, with CISA adding CVE-2025-53770 to its KEV catalog and ordering immediate federal remediation.

Read full briefing
Pre-ToolShell Ransomware — LATAM & APAC March–June 2025

Prior to the ToolShell campaign, Storm-2603 (CL-CRI-1040) conducted ransomware operations in Latin America and APAC using the AK47 C2 framework and a combination of LockBit Black and Warlock/X2anylock ransomware — sometimes both in the same attack. Check Point's analysis of a VirusTotal artifact (Evidencia.rar, April 2025) confirmed a LATAM compromise with open-source tools including PsExec, masscan, SharpHostInfo, WinPcap, and nxc recovered alongside custom backdoor payloads. The group operated as a former LockBit 3.0 affiliate before establishing the Warlock double-extortion brand.

Warlock Ransomware-as-a-Service Launch June 2025 — ongoing

By June 2025, the group began promoting Warlock as a ransomware affiliate platform, with dark web forum posts advertising the program to potential affiliates. The Warlock Client Leaked Data Show leak site was established for double-extortion operations. The group claimed responsibility for attacks previously attributed to Black Basta, including incidents at Arch-Con Corporation and Lactanet. Victim data across telecoms, technology, healthcare, and manufacturing in North America and Europe was published on the leak site.

Tools & Malware

Storm-2603 maintains a distinct custom toolkit alongside commodity open-source tools. The Project AK47 toolset is the group's signature development.

  • AK47 C2 Framework (ak47http / ak47dns): A custom multi-protocol C2 backdoor under development since at least March 2025. The HTTP client communicates via JSON-body POST requests XOR-encoded with the static key "VHBD@H". The DNS client fragments results into 63-byte chunks encoded as DNS query labels. Both variants identified via PDB filepath patterns.
  • Warlock Ransomware (X2anylock): The group's primary ransomware payload, built on the Chaos framework using AES-256 and RSA encryption. Deployed network-wide via GPO modification. Ransom notes named "How to decrypt my data.txt" or "How to decrypt my data.log" with Tox ID and ProtonMail contacts.
  • LockBit Black (LockBit 3.0): A commodity ransomware affiliate payload deployed in pre-ToolShell campaigns, sometimes bundled with Warlock in the same intrusion. Deployed via DLL hijacking using clink_x86.exe to sideload clink_dll_x86.dll.
  • spinstall0.aspx / GhostWebShell: ASPX web shells for persistent access and MachineKey harvesting. GhostWebShell is a memory-resident variant abusing SharePoint and ASP.NET internals for stealthy execution.
  • VMToolsEng.exe (AV Killer / BYOVD): Custom antivirus killer loading ServiceMouse.sys (Antiy Labs driver) to terminate endpoint protection processes. Dropped via MSI installer.
  • AsmLoader: Custom loader for executing shellcode within the IIS worker process or a remote process, enabling memory-resident execution without additional file writes.
  • Mimikatz / SecretsDump / CrackMapExec: Commodity credential harvesting for LSASS memory dumping and registry hive extraction.
  • PsExec / Impacket / masscan / nxc / SharpHostInfo / WinPcap: Open-source lateral movement, network scanning, host enumeration, and traffic capture utilities used across all documented operations.

Indicators of Compromise

Publicly disclosed indicators from Storm-2603 campaigns. Validate against live threat intel feeds before use.

warning

IOCs may be stale or burned after public disclosure. Cross-reference with live threat intel feeds before blocking.

indicators of compromise
domain update.updatemicfosoft[.]com (AK47 C2 — DNS tunneling and HTTP backdoor, active from March 2025)
file spinstall0.aspx / spinstall1.aspx / spinstall2.aspx (ToolShell web shells — SharePoint LAYOUTS directory)
file VMToolsEng.exe (BYOVD AV killer — drops ServiceMouse.sys to terminate EDR/AV processes)
file ServiceMouse.sys (vulnerable driver from Antiy Labs — loaded to kill endpoint protection)
file cloudflare.bat / run.bat (staging scripts dropped to C:\ProgramData\ for chained payload execution)
file dnsclient.exe (custom DNS tunneling backdoor communicating with update.updatemicfosoft[.]com)
ransom note How to decrypt my data.txt / How to decrypt my data.log (Warlock ransom note filenames)
xor key VHBD@H (static XOR key used by AK47 C2 to encode DNS and HTTP C2 traffic)
user-agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 (observed in ToolShell exploitation traffic)

Mitigation & Defense

Storm-2603's attack chain moves from initial web shell to network-wide ransomware in under 90 minutes. Detection must occur early in the kill chain, before credential harvesting and lateral movement begin.

  • Patch SharePoint and Rotate Machine Keys: Apply all July 2025 SharePoint security updates (KB5002768, KB5002754, KB5002753). Even fully patched organizations that ran unpatched servers during the exposure window must rotate ASP.NET machine keys — stolen MachineKey material enables persistent forged authentication independently of patch state.
  • Restart IIS After Patching: Microsoft explicitly recommends restarting IIS services after patching and key rotation to clear any in-memory malicious .NET assemblies loaded by the actor.
  • Hunt for Web Shells: Scan SharePoint LAYOUTS directories for unexpected ASPX files (spinstall0.aspx and variants). Check IIS logs for POST requests to ToolPane.aspx. Query EDR telemetry for w3wp.exe spawning cmd.exe, PowerShell, or whoami.
  • Monitor for BYOVD Driver Loading: Alert on loading of ServiceMouse.sys or other third-party drivers by unexpected processes. Detection should be at the driver load event level, not the process kill event.
  • Block GPO-Based Ransomware Distribution: Monitor for unauthorized GPO modifications — particularly GPO changes referencing executable paths in network shares or ProgramData. GPO-based ransomware deployment is network-wide and extremely difficult to contain after execution begins.
  • Restrict PsExec and Impacket: Restrict PsExec to authorized administrative contexts and alert on execution outside those contexts. Block WMI-based remote execution from non-administrative workstations.
  • Enable AMSI for SharePoint: Microsoft specifically recommends enabling AMSI for SharePoint to detect malicious script execution. If AMSI cannot be enabled, machine key rotation and IIS restart are the minimum required compensating controls.
  • Segment SharePoint from Domain Controllers: Limiting network reachability between SharePoint servers and domain controllers reduces the blast radius of credential harvesting and GPO abuse.
analyst note

Storm-2603's attribution status is genuinely contested and represents an important nuance for defenders. Microsoft assesses China with only medium confidence. Unit 42 explicitly states they lack evidence to attribute the cluster to a nation-state. The BYOVD driver and IIS backdoor point to Chinese-speaking operators, but are not conclusive. What is unambiguous is the group's operational capability: a previously unknown actor stood up a functional ransomware-as-a-service operation, developed a custom C2 framework, and pivoted from targeted LATAM/APAC ransomware to a global campaign against 400+ organizations using a SharePoint zero-day — all within roughly four months of first observed activity. Regardless of who is behind it, the technical profile is precise and the threat is active.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile