The recently disclosed threat actors related to the exploitation of security flaws used a bespoke command and control (C2) framework called AK47 C2 (also spelled AK47C2).
This framework includes at least two different types of clients, HTTP-based and Domain Name System (DNS)-based, which are called AK47HTTP and AK47DNS, respectively, by checkpoint investigation.
This activity is attributed to Storm-2603, and according to Microsoft, it will deploy China-based threat actors CVE-2025-49706 and CVE-2025-49704 (aka Toolshell) – Warlock (AKA X2Anylock) ransomware, which leverages SharePoint flaws.
Evidence collected following analysis of Virustotal Artifacts, a previously unreported threat cluster, indicates that they may have deployed ransomware families such as Lockbit Black and Warlock since at least March 2025.
“Based on Virustotal data, Storm-2603 may have targeted some Latin American organizations throughout the first half of 2025, alongside the APAC attack organization,” Check Point said.
Attack tools used by threat actors include legitimate open source and Windows utilities such as Masscan, Winpcap, Sharphostinfo, NXC, and Psexec.[.]com. “
Backdoors are part of the AK47 C2 framework, and are used alongside AK47HTTP to collect host information, parse DNS or HTTP responses from servers, and run them on infected machines via “CMD.exe”. The initial access route used in these attacks is unknown.
A worth mentioning point here is that the aforementioned infrastructure was flagged by Microsoft as it is used by threat actors as C2 servers to establish communication with the “Spinstall0.aspx” web shell. In addition to open source tools, Storm-2603 is known to distribute three additional payloads –
7z.exe and 7z.dll, a legal 7-zip binaries used to sideload malicious dlls, delivering Warlock bbb.msi.
According to checkpoint, another MSI artifact was discovered in April 2025, which was uploaded to Virustotal, with another MSI artifact used to launch Warlock and Lockbit Ransomware, and also dropped a custom viral agent killer executable (“VMToolseng.exe”) that employs its own vulnerable driver (BYOVD) technique to use security software using ServiceMouse’s security driver. Lab.
Ultimately, the exact motivation for the Storm-2603 remains unknown at this stage, making it difficult to determine whether it is focused on spying or driven by profit motives. However, this focuses on cases where people from China, Iran and North Korea deployed ransomware side by side.
“The Storm-2603 leverages the BYOVD technique to disable endpoint defenses, hijacking Hijacking to deploy multiple ransomware families. It blurs the line between APT and criminal ransomware operations,” Check Point said. “The group also uses open source tools such as Psexec and Masscan, demonstrating a hybrid approach that is increasingly seen in advanced attacks.”
Source link
