Storm-2603 Deploys Custom Malware Using BYOVD to Bypass Endpoint Protections

Check Point Research (CPR) has delved into the operations of Storm-2603, a recently identified threat actor linked to Chinese advanced persistent threat (APT) groups, amid widespread exploitation of Microsoft SharePoint Server vulnerabilities known as “ToolShell.”

This campaign exploits four critical CVEs CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 to facilitate intrusions, with Storm-2603 deploying a custom command-and-control (C2) framework dubbed “ak47c2.”

Comprising HTTP-based (“ak47http”) and DNS-based (“ak47dns”) clients, this framework enables persistent access and command execution.

Unveiling a New Chinese Threat Actor

Analysis of VirusTotal uploads indicates Storm-2603 targeted Latin American organizations in early 2025, concurrent with attacks in the Asia-Pacific region, employing tactics, techniques, and procedures (TTPs) that mirror ransomware operations, including open-source tools like PsExec for remote execution and masscan for network scanning.

A hallmark of their approach is a custom tool leveraging Bring Your Own Vulnerable Driver (BYOVD) to disable endpoint protections, often paired with multiple ransomware families deployed via DLL hijacking.

Storm-2603’s ak47c2 framework, evidenced by PDB paths such as C:UsersAdministratorDesktopworktoolsak47c2, supports sophisticated backdoors.

According to the CPR report, the ak47dns variant, a 64-bit console application named dnsclient.exe, hides its window upon launch and constructs DNS queries for C2 communication over update.updatemicfosoft[.]com.

Ransomware Tactics

It generates a random five-character session ID, XOR-encrypts payloads with the key “VHBD@H,” and uses DNS TXT or MG records for data exfiltration, fragmenting large outputs into 63-byte segments for stealth.

Similarly, the ak47http backdoor employs HTTP POST requests with JSON payloads encrypted identically, executing commands via cmd.exe and relaying results to domains like update.micfosoft[.]com.

Incidents from April 2025, including RAR archives on VirusTotal, reveal deployments involving open-source utilities like WinPcap for traffic capture, SharpHostInfo for reconnaissance, and nxc for vulnerability exploitation.

Ransomware payloads, such as LockBit Black and Warlock (using .x2anylock extensions), are bundled and triggered through MSI installers abusing DLL hijacking in legitimate files like 7z.exe or MpCmdRun.exe.

A custom “Antivirus Terminator” tool, active since late 2024, creates a service named ServiceMouse using the vulnerable Antiy Labs driver (originally AToolsKrnl64.sys) to send IOCTL codes like 0x99000050 for process termination, effectively bypassing antivirus via BYOVD.

This multi-ransomware strategy, with notes like “How to decrypt my data.txt” demanding contact via Tox or ProtonMail, aligns with rare tactics observed in reports from Huntress and Microsoft, linking Storm-2603 to earlier campaigns since March 2025.

Storm-2603 represents an evolving ransomware-affiliated actor blending APT techniques with commodity tools, exploiting SharePoint flaws for initial access and custom malware for persistence.

By correlating IOCs from Microsoft reports, CPR traced infrastructure overlaps, highlighting the group’s focus on rapid, multi-payload deployments to maximize disruption.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!