Exploring Storm-2603's Previous Ransomware Operations

A focused analysis of Storm-2603, a threat actor linked to recent ToolShell exploitations alongside other Chinese APT groups, reveals their use of a custom malware C2 framework called 'ak47c2'. This framework includes HTTP and DNS-based clients. The group likely targeted organizations in Latin America and APAC in early 2025, employing tactics similar to other ransomware groups. They utilize open-source tools and a custom tool leveraging BYOVD technique to disable endpoint protections. Storm-2603 attacks involve multiple ransomware families, often deployed together through DLL hijacking. The analysis uncovers their use of LockBit Black and Warlock ransomware, as well as a custom Antivirus Terminator tool abusing a legitimate driver to kill processes.

Pulse ID: 688cb3406bad6853be31041c
Pulse Link: https://otx.alienvault.com/pulse/688cb3406bad6853be31041c
Pulse Author: AlienVault
Created: 2025-08-01 12:29:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APAC #Chinese #CyberSecurity #DNS #Endpoint #HTTP #ICS #InfoSec #LatinAmerica #LockBit #Malware #NATO #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Terminator #bot #AlienVault