Storm-2603: Hybrid Espionage and Ransomware Operations Exploiting SharePoint ToolShell Vulnerabilities
Storm-2603 is a China-based threat actor, first identified in 2025, leveraging a hybrid operational model that combines espionage tactics with financially motivated ransomware deployment. The group is distinct from, but shares some infrastructure and tooling with, other Chinese APTs such as...

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))
Stuck writing boring intelligence reports? Or worse- trying to make ChatGPT do it the way you, a seasoned analyst would?
Does it take a chunks out of your day? Would you like help with the research?
write a report on Storm-2603 suitable for strategic decision makers, but don’t skimp on the technical deets
This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.
We just did the initial grunt work..
Are you ready to level up your skillset? Get Started Here!
Did this help you? Forward it to a friend!


TL;DR
Key Points
-
- Storm-2603, a China-based threat actor, is actively exploiting Microsoft SharePoint ToolShell vulnerabilities (CVE-2025-49704/49706/53770/53771) to deploy LockBit Black and Warlock ransomware, targeting government, critical infrastructure, and enterprise IT sectors globally.
- Immediate patching, ASP.NET machine key rotation, and EDR deployment are critical to mitigate initial access and persistence.
-
- The group employs advanced TTPs, including BYOVD, DLL sideloading, custom AK47 C2 frameworks (HTTP/DNS), and open-source tools (PsExec, Impacket, masscan) for lateral movement, defense evasion, and ransomware propagation.
- Monitoring for web shells, suspicious scheduled tasks, and C2 traffic to known Storm-2603 infrastructure is essential for early detection.
-
- Storm-2603 demonstrates a hybrid operational model, blending espionage and financially motivated ransomware, with evolving tradecraft and targeting scope.
- Incident response plans, network segmentation, and tabletop exercises tailored to hybrid APT/ransomware scenarios are recommended for organizational resilience.
Executive Summary
Storm-2603 is a China-based threat actor, first identified in 2025, leveraging a hybrid operational model that combines espionage tactics with financially motivated ransomware deployment. The group is distinct from, but shares some infrastructure and tooling with, other Chinese APTs such as APT27 (Linen Typhoon) and APT31 (Violet Typhoon). Storm-2603 has been observed exploiting critical Microsoft SharePoint ToolShell vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) to gain initial access to on-premises servers in government, critical infrastructure, and enterprise IT environments across Latin America, Asia-Pacific, the United States, and Europe.
Post-exploitation, Storm-2603 deploys web shells, steals credentials (using Mimikatz), and moves laterally via PsExec and Impacket. The group uses advanced defense evasion techniques, including Bring Your Own Vulnerable Driver (BYOVD) and DLL sideloading, to disable endpoint protections and deploy multiple ransomware families (LockBit Black, Warlock/X2anylock). Custom C2 frameworks (AK47HTTP, AK47DNS) and open-source tools (masscan, WinPcap, SharpHostInfo) support stealthy command and control, reconnaissance, and propagation.
Storm-2603’s campaigns have impacted government agencies (including the US Nuclear Weapons Agency), financial services, manufacturing, and other sectors. The group’s hybrid motivation profile—espionage and financial gain—complicates attribution and response, with a plausible shift toward longer-term espionage using ransomware as cover.
Strategic recommendations include urgent patching and key rotation on SharePoint servers, deployment and tuning of EDR solutions, integration of threat intelligence for IOC monitoring, and enhanced incident response planning with network segmentation. Organizations should monitor for specific TTPs (web shells, GPO modifications, C2 traffic) and prepare for both ransomware and APT-style intrusions. The threat landscape is expected to evolve, with Storm-2603 likely to refine its malware frameworks, expand targeting, and adapt TTPs in response to improved defenses.
Suggested Pivots
-
What specific indicators and ... (Upgrade to find out!) ..., and how can these be detected in ongoing campaigns exploiting SharePoint vulnerabilities?
-
How effective are current mitigation strategies—including ... (Upgrade to find out!) ..., and what documented case studies or incident reports highlight successes or failures?
-
What are the detailed technical evolutions of Storm-2603’s custom ... (Upgrade to find out!) ... their persistence and evasion capabilities? How can detection and disruption methods be improved based on these insights?
Research & Attribution
Historical Context
Storm-2603 is a China-based threat actor first publicly identified in 2025 during investigations into the exploitation of Microsoft SharePoint Server vulnerabilities, collectively known as the ToolShell campaign. The group has been linked to ransomware operations deploying LockBit Black and Warlock (X2anylock) ransomware variants. While other Chinese APT groups such as Linen Typhoon (APT27) and Violet Typhoon (APT31) were also involved in ToolShell, Storm-2603 is tracked as a distinct actor with a hybrid operational model combining espionage and financially motivated ransomware deployment.
Timeline
- Early 2025: Storm-2603 linked to ransomware campaigns in Latin America and Asia-Pacific deploying LockBit Black and Warlock ransomware.
- March 2025: Earliest observed campaigns using DNS tunneling and HTTP backdoors.
- July 2025: Active exploitation of SharePoint vulnerabilities CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 (ToolShell) to gain initial access.
- July 18, 2025: Observed deployment of Warlock ransomware post-exploitation.
- July 22, 2025: Microsoft publishes detailed analysis of Storm-2603's exploitation and ransomware deployment.
Origin
Storm-2603 is assessed with moderate confidence to be a China-based threat actor. It is tracked as a distinct entity separate from other Chinese APT groups such as Linen Typhoon and Violet Typhoon, although some infrastructure and tooling overlaps exist. The group exhibits a hybrid operational model combining espionage-like tactics with financially motivated ransomware deployment.
Countries Targeted
- Latin America (LATAM) - Targeted in ransomware campaigns deploying LockBit Black and Warlock ransomware.
- Asia-Pacific (APAC) - Targeted in parallel with LATAM in ransomware campaigns.
- United States - Targeted via exploitation of SharePoint vulnerabilities; includes critical infrastructure such as the US Nuclear Weapons Agency.
- Europe - Indirectly targeted through espionage-related campaigns linked to related Chinese APT groups.
- Other global regions - Likely targeted due to the broad exploitation of SharePoint vulnerabilities.
Sectors Targeted
- Government and Critical Infrastructure - Including US nuclear weapons agency and other sensitive government entities.
- Enterprise IT - Particularly organizations running on-premises Microsoft SharePoint servers.
- Financial Services - Targeted in espionage and ransomware campaigns.
- Healthcare and Education - Indirectly targeted through related Chinese APT groups.
- Manufacturing and Strategic Planning - Targeted by related Chinese APT groups and possibly Storm-2603.
Motivation
Storm-2603 exhibits a hybrid motivation profile combining espionage and financial gain through ransomware deployment. While the group deploys ransomware families LockBit Black and Warlock, its exact strategic objectives remain unclear, with possibilities including dual motivations of espionage and financial profit.
Attack Types
Storm-2603 primarily exploits known vulnerabilities in internet-facing on-premises Microsoft SharePoint servers (ToolShell vulnerabilities) to gain initial access. Post-exploitation activities include web shell deployment, credential theft, lateral movement, and ransomware deployment. The group uses a combination of custom malware, open-source tools, and advanced techniques such as DLL sideloading and Bring Your Own Vulnerable Driver (BYOVD) to disable defenses and deploy multiple ransomware families.
Malware and Toolset Analysis
- Custom backdoors: AK47 C2 framework with HTTP (AK47HTTP) and DNS (AK47DNS) clients.
- Ransomware: LockBit Black and Warlock (X2anylock) deployed via DLL sideloading and MSI installers.
- Open-source tools: masscan, WinPcap, SharpHostInfo, nxc, PsExec.
- Antivirus terminator: Custom tool "VMToolsEng.exe" using BYOVD with signed driver "ServiceMouse.sys" from Antiy Labs to disable security software.
C2 Infrastructure and Indicators
- Domains: update.updatemicfosoft[.]com, msupdate.updatemicfosoft[.]com, microsfot[.]org.
- IPs: 65.38.121.198, 131.226.2.6, 134.199.202.205, 104.238.159.149, 188.130.206.168.
- File hashes: Multiple SHA-256 hashes for web shells (spinstall0.aspx variants), IIS backdoor (IIS_Server_dll.dll), and tools (SharpHostInfo.x64.exe, xd.exe).
- URLs: c34718cbb4c6.ngrok-free[.]app/file.ps1 (PowerShell delivery).
Impact and Tradecraft Evolution
Storm-2603 has demonstrated a sophisticated hybrid approach blending espionage tactics with financially motivated ransomware deployment. The group has evolved to deploy multiple ransomware families simultaneously, use advanced defense evasion techniques like BYOVD, and leverage custom C2 frameworks. The exploitation of widely used enterprise software vulnerabilities (SharePoint) and the use of open-source tools for reconnaissance and lateral movement increase the threat's operational complexity and impact.
Ready to level up your intelligence game?
Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps
(Subscribers Only)