The threat actor linked to the exploitation of the recently disclosed security flaws in Microsoft SharePoint Server is using a bespoke command-and-control (C2) framework called AK47 C2 (also spelled ak47c2) in its operations.
The framework includes at least two different types of clients, HTTP-based and Domain Name System (DNS)-based, which have been dubbed AK47HTTP and AK47DNS, respectively, by Check Point Research.
The activity has been attributed to Storm-2603, which, according to Microsoft, is a suspected China-based threat actor that has leveraged the SharePoint flaws – CVE-2025-49706 and CVE-2025-49704 (aka ToolShell) – to deploy Warlock (aka X2anylock) ransomware.
A previously unreported threat cluster, evidence gathered following an analysis of VirusTotal artifacts shows that the group may have been active since at least March 2025, deploying ransomware families like LockBit Black and Warlock together – something that’s not observed commonly among established e-crime groups.
“Based on VirusTotal data, Storm-2603 likely targeted some organizations in Latin America throughout the first half of 2025, in parallel to attacking organizations in APAC,” Check Point said.
The attack tools used by the threat actor includes legitimate open-source and Windows utilities like masscan, WinPcap, SharpHostInfo, nxc, and PsExec, as well as a custom backdoor (“dnsclient.exe”) that uses DNS for command-and-control with the domain “update.updatemicfosoft[.]com.”
The backdoor is part of the AK47 C2 framework, alongside AK47HTTP, that’s employed to gather host information and parse DNS or HTTP responses from the server and execute them on the infected machine via “cmd.exe.” The initial access pathway used in these attacks are unknown.
A point worth mentioning here is that the aforementioned infrastructure was also flagged by Microsoft as used by the threat actor as a C2 server to establish communication with the “spinstall0.aspx” web shell. In addition to the open-source tools, Storm-2603 has been found to distribute three additional payloads –
- 7z.exe and 7z.dll, the legitimate 7-Zip binary that’s used to sideload a malicious DLL, which delivers Warlock
- bbb.msi, an installer that uses clink_x86.exe to sideload “clink_dll_x86.dll,” which leads to LockBit Black deployment
Check Point said it also discovered another MSI artifact uploaded to VirusTotal in April 2025 that’s used to launch Warlock and LockBit ransomware, and also drop a custom antivirus killer executable (“VMToolsEng.exe”) that employs the bring your own vulnerable driver (BYOVD) technique to terminate security software using ServiceMouse.sys, a third-party driver provided by Chinese security vendor Antiy Labs.
Ultimately, Storm-2603’s exact motivations remain unclear at this stage, making it harder to determine if it’s espionage-focused or driven by profit motives. However, it bears noting that there have been instances where nation-state actors from China, Iran, and North Korea have deployed ransomware on the side.
“Storm-2603 leverages BYOVD techniques to disable endpoint defenses and DLL hijacking to deploy multiple ransomware families – blurring the lines between APT and criminal ransomware operations,” Check Point said. “The group also uses open-source tools like PsExec and masscan, signaling a hybrid approach seen increasingly in sophisticated attacks.”