A recent analysis by Check Point Research has identified a threat actor, known as Storm-2603, exploiting critical vulnerabilities in Microsoft SharePoint Server. The group, believed to be based in China, is utilizing a sophisticated command-and-control (C2) framework called AK47 C2. This framework includes both HTTP and DNS-based clients to orchestrate attacks, including the deployment of Warlock and LockBit Black ransomware families.
Storm-2603 has leveraged vulnerabilities identified as CVE-2025-49706 and CVE-2025-49704, which Microsoft confirmed relate to the exploitation of SharePoint flaws. Cybersecurity experts indicate that this group has likely been operational since at least March 2025, primarily targeting organizations in Latin America and the Asia-Pacific region.
Incorporating legitimate tools such as masscan and PsExec, Storm-2603 deploys custom backdoors, including a malicious executable named dnsclient.exe. This backdoor facilitates command-and-control communications through DNS, a method that complicates detection efforts. The initial pathways used in these attacks have not been fully revealed, raising significant concerns for potential victims.
Moreover, Check Point discovered that the infection mechanisms included, among others, the use of a DLL hijacking technique and a custom-developed executable that targets security software for termination. This highlights a troubling trend in cyberattacks where the lines between state-sponsored and criminal activities are increasingly blurred. As this threat landscape evolves, further investigations will be essential to fully understand the intentions behind Storm-2603’s operations.