Storm-2603 Using Custom Malware That Leverages BYOVD to Tamper with Endpoint Protections

A newly identified threat actor designated Storm-2603 has emerged as a sophisticated adversary in the ransomware landscape, leveraging advanced custom malware to circumvent endpoint security protections through innovative techniques.

The group first gained attention during Microsoft’s investigation into the “ToolShell” campaign, which exploited multiple SharePoint Server vulnerabilities including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771.

Unlike established Chinese APT groups such as Linen Typhoon and Violet Typhoon that were also involved in these attacks, Storm-2603 represents a previously undocumented cluster with distinct operational characteristics.

The threat actor’s arsenal centers around a custom Command and Control framework internally dubbed “ak47c2,” which demonstrates remarkable technical sophistication through its dual-client architecture.

This framework incorporates both HTTP-based communication channels, designated “ak47http,” and DNS-based tunneling capabilities called “ak47dns.”

The malware’s design reflects careful consideration for operational security and persistence, allowing attackers to maintain command and control even when traditional network monitoring systems are in place.

Check Point researchers identified that Storm-2603’s operations have extended beyond the initial SharePoint exploitations, with evidence suggesting the group targeted organizations across Latin America and the Asia-Pacific region throughout the first half of 2025.

The group’s methodology involves deploying multiple ransomware families simultaneously, including LockBit Black and Warlock variants, often utilizing DLL hijacking techniques for deployment and execution.

BYOVD Implementation and Endpoint Protection Bypass

The most notable aspect of Storm-2603’s technical arsenal is their custom “Antivirus Terminator” tool, which exemplifies the Bring Your Own Vulnerable Driver (BYOVD) technique for disabling endpoint protections.

This sophisticated utility requires administrative privileges and leverages a legitimate, digitally signed driver originally developed by Antiy Labs as part of their System In-Depth Analysis Toolkit.

The tool creates a service called “ServiceMouse” that loads the vulnerable driver ServiceMouse.sys, which is actually a renamed version of AToolsKrn164.sys.

The malware communicates with this driver using specific IO control codes, particularly 0x99000050 for process termination, 0x990000D0 for file deletion, and 0x990001D0 for driver unloading operations.

if (DeviceIoControl (hDevice, 0x99000050, &InBuffer, 4u, OutBuffer, 4u, BytesReturned, 0))
{
    printf_0("kill ok :%s rn", v1);
}

This implementation allows the malware to terminate security processes at the kernel level, effectively neutralizing endpoint protection systems before deploying ransomware payloads.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches