September 17, 2025 4 Minute Read

• The threat group Storm-2603 is actively exploiting Microsoft SharePoint vulnerabilities to gain unauthorized access to critical infrastructure worldwide.
• Their attacks use a specialized toolkit and have a dual motive: espionage and financial gain through deploying ransomware.
• This highlights the urgent need for organizations to apply all security patches to their SharePoint environments to protect against these severe vulnerabilities and the associated ransomware threat.

This blog is the latest in a series that delves into the deep research conducted daily by the Trustwave SpiderLabs Threat Operations team on major threat actor groups currently operating globally.

Trustwave SpiderLabs Cyber Threat Intelligence team has developed a new detailed analysis of Storm-2603, the threat group associated with the recent exploitation of security flaws in Microsoft SharePoint Server.

This article is from a strategic threat intelligence perspective, focusing on Storm-2603’s motives, affiliations, and global targeting impact, with lighter technical detail. For those interested in a more technical analysis, please see this earlier report.

SpiderLabs’ research noted that the group, tracked by Microsoft as Storm-2603 and CL-CRI-1040 by Palo Alto, is a new threat actor first observed in March 2025 that uses a specialized command-and-control (C2) toolkit dubbed AK47 C2 to conduct its SharePoint operation.

There is some discrepancy surrounding Storm-2603’s affiliation due to the group having some links to the Chinese-supported threat groups APT27 (aka Emissary Panda) and APT31, aka Judgement Panda.
SpiderLabs noted in an earlier blog that Storm-2603 is likely based in China, but the researchers noted there is insufficient evidence to conclude that Storm-2603 is a state-sponsored group or tied to the People’s Republic of China.

However, Microsoft has attributed Storm-2603 to China with medium confidence.

These vulnerabilities were used to perform unauthenticated code execution, extract cryptographic keys, and deploy web shells resembling those used in past campaigns, suggesting threat actors are reusing proven tools to maintain long-term access.

Storm-2603’s Motivating Principles and Attack Tools

SpiderLabs found that Storm-2603 appears to be driven by a dual desire to conduct espionage and for financial gain. The group’s espionage motivations are reflected in its targeting of critical sectors, such as government and strategic organizations.

However, it also deploys ransomware payloads, which indicates a parallel financial profit motive.

Storm-2603 has been active since at least March 2025 and was most recently observed leveraging the ToolShell exploit chain to weaponize the SharePoint vulnerabilities CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771.

SpiderLabs’ and other researchers’ investigations into Storm-2603 uncovered the group’s prior reliance on the Project AK47 toolset, which consists of ransomware, backdoor malware, and other tools.

Analysis further indicates a financial dimension to Storm-2603’s operations, with past links to a LockBit 3.0/LockBit Black affiliate and the management of the Warlock double-extortion leak platform.

SpiderLabs’ deep dive into Storm-2603 reveals why there is some concern that it is, in fact, related to China. The group appears to operate in the same space as the espionage-focused actors Linen Typhoon and Violet Typhoon.

However, the evidence available cannot confirm that Storm-2603 is directly state-directed or if its blend of espionage-driven and financially motivated activity is merely a coincidence.

Target List

Storm-2603 does not limit itself to targeting specific global regions, but is a worldwide danger. It has conducted ransomware operations in the Asia-Pacific region and Latin America using LockBit Black and Warlock.

As previously noted, it has exploited SharePoint vulnerabilities in the US, going after critical infrastructure organizations such as the US Nuclear Weapons Agency.

In Europe, targeting has been less direct, with activity largely tied to espionage campaigns associated with related Chinese threat groups. Other parts of the globe are affected as well due to the severe SharePoint vulnerability exploitation.

Breaking Down the AK47 Toolkit and TTPs

The group’s Project AK47 malware collection is almost entirely Windows-based, reflecting a strong preference for Windows environments. However, limited observations of Linux variants of the Warlock ransomware in the wild suggest the group retains some capability to target non-Windows systems as well.

• Initial Access - Storm-2603 has demonstrated a knack for exploiting on-premises Microsoft SharePoint vulnerabilities. They do this by bypassing authentication mechanisms, pulling out machine keys, and using those credentials to get full administrative control of the server.
• Execution - The group frequently uses Base64-encoded commands to run malicious PowerShell scripts. Their toolset also includes batch scripts and cmd.exe to run PsExec, and they use Windows Management Instrumentation (WMI) for remote command execution.
• Persistence - To keep their access, the group heavily relies on web shells. They also use backdoors in their DNS-based and HTTP-based clients as extra ways to get in. Additionally, they create scheduled tasks to automatically re-run malicious components, making sure they stay active even after a system reboot.
• Defense Evasion - Storm-2603 utilizes legitimate tools, such as PsExec and masscan, to blend in with normal activity and employ domain masquerading to deceive defenders and avoid detection.
  The group has also been seen using reflective payload loading and BYOVD (Bring Your Own Vulnerable Driver) attacks to get around security controls. The group even deploys a custom tool to disable security solutions and has changed the Windows registry to turn off Microsoft Defender.

• Lateral Movement - Storm-2603 moves laterally through a network using tools like PsExec and the Impacket toolkit to run commands and deploy payloads on remote systems. It has used WMI for remote execution and modified Group Policy Objects (GPOs) to help with mass ransomware deployment across compromised environments.
• Credential Access - This threat actor gets credentials by using Mimikatz, targeting LSASS (Local Security Authority Subsystem Service) memory to pull out plaintext credentials.
• Discovery - Storm-2603 runs basic commands, such as whoami, to determine the user context and confirm their privilege level. They also use masscan for network reconnaissance, which helps them quickly find vulnerable services for further exploitation.
• Command and Control - Storm-2603 uses a fast reverse proxy tool for its command-and-control communications. The group also deploys custom backdoors that use HTTP and DNS protocols for stealthy data exchange with their infrastructure.
• Impact -The group’s operations have had a major impact through the deployment of LockBit Black and Warlock ransomware. These attacks cause service disruptions, data encryption, and sometimes financial theft, indicating it is motivated by disruption and financial gain.

Mitigations

SpiderLabs has a full set of mitigations listed here, which includes the specific Microsoft patches to apply. Organizations should prioritize patching all SharePoint environments, including test, development, and production servers. Customers using SharePoint Subscription Edition should apply the security update provided in KB5002768 to mitigate the vulnerability.