Skip Navigation

August 1, 2025 |

Storm-2603 activity linked to earlier ransomware campaigns

Loading table of contents...

Researchers are reporting that Storm-2603 - a recently identified threat actor associated with the ToolShell campaign - previously conducted ransomware operations in Latin America and Asia-Pacific using LockBit Black and Warlock (also known as X2anylock) variants. These earlier campaigns are dating back to at least March 2025. 

Storm-2603 is a newly designated actor under Microsoft’s “Storm” taxonomy, used for emerging threat clusters. While not yet formally reclassified, the group shares infrastructure and tooling patterns with known Chinese advanced persistent threat (APT)  groups, such as Violet Typhoon (APT31). While some vendors have also referred to Storm-2603 as a Violet Typhoon derivative or clone, Microsoft has yet to link the two actors formally. Attribution remains ongoing, and while overlaps exist, Storm-2603 is currently tracked as a distinct entity. 

The group’s tactics, techniques, and procedures (TTPs) suggest a hybrid model: combining elements of APT behavior with financially motivated ransomware deployment.  

The group uses a custom command-and-control framework (AK47 C2) and defense evasion techniques such as DLL sideloading and Bring Your Own Vulnerable Driver (BYOVD). The actor payloads were often deployed together via DLL sideloading techniques, suggesting a layered approach to disruption. Targeting patterns suggest a focus on unpatched enterprise systems, particularly on-premises SharePoint servers. 

ThreatRoundUp_SignUp_Simplifiedx2

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

The group’s exploitation of unpatched SharePoint servers using custom malware and defense evasion techniques highlights the need for proactive patch management and layered detection strategies across all environments. The hybrid approach used by the threat actor and their deployment of multiple ransomware variants increases the complexity of attribution efforts. For organizations with on-premises SharePoint infrastructure, the activity underscores the importance of maintaining patch hygiene, as well as the need for real-time detection, active response, and expert-led monitoring across endpoints, networks, and cloud services.