AK47 C2 Framework

A recently uncovered threat actor, identified as Storm-2603, has been linked to the exploitation of known security vulnerabilities in Microsoft SharePoint Server. This group is suspected to operate out of China and employs a custom Command-and-Control (C2) framework dubbed AK47 C2 (also stylized as ak47c2) to orchestrate its attacks.

The AK47 C2 platform employs two primary communication methods: AK47HTTP (Utilizes HTTP protocols for C2 communication) and AK47DNS (Leverages DNS protocols for covert command delivery).

These components help the malware receive and execute commands on infected systems via cmd.exe, based on data parsed from HTTP or DNS server responses.

Exploiting Microsoft Flaws for Maximum Impact

Storm-2603 has weaponized the SharePoint vulnerabilities CVE-2025-49706 and CVE-2025-49704 (also known as ToolShell) to breach networks and deploy malicious payloads. Chief among these are ransomware families like Warlock (aka X2anylock) and LockBit Black, an unusual combination not typically observed among mainstream e-crime operators.

In one of the key technical indicators, a backdoor named dnsclient.exe, part of the AK47 C2 suite, uses DNS-based communication with a spoofed domain:
update.updatemicfosoft.com, mimicking a Microsoft update server to evade detection.

Hybrid Arsenal: Open-Source Meets Custom Payloads

Storm-2603's toolkit demonstrates a blend of legitimate software and malicious enhancements, including:

Commonly Used Utilities:

• masscan – For port scanning and reconnaissance.
• WinPcap – Network packet capture tool.
• SharpHostInfo – Gathers host-based information.
• nxc and PsExec – Remote command execution tools.

Malicious Additions:

• 7z.exe and 7z.dll: Legitimate 7-Zip binaries exploited to sideload a DLL that delivers Warlock ransomware.
• bbb.msi: An installer that sideloads clink_dll_x86.dll via clink_x86.exe, ultimately resulting in LockBit Black deployment.

These tools are used in conjunction with BYOVD (Bring Your Own Vulnerable Driver) techniques to neutralize endpoint defenses, along with DLL sideloading tactics, further complicating detection and response.

Geographic Reach and Shadowy Objectives

Evidence suggests Storm-2603 has been active since at least March 2025, targeting entities across Latin America and the Asia-Pacific (APAC) region. The group's strategy of combining ransomware families and targeting diverse geographic sectors raises questions about its ultimate goals.

Although their motivations remain murky, parallels with other nation-state actors (notably from China, Iran, and North Korea) who have employed ransomware in geopolitical operations suggest that Storm-2603 might straddle the line between espionage and financially motivated crime.

The APT-Criminal Nexus: A Growing Concern

Storm-2603 exemplifies a rising trend of hybrid threat actors, those who mix traditional Advanced Persistent Threat (APT) techniques with ransomware operations. Noteworthy tactics include:

Tactical Highlights:

• Use of DLL hijacking to deliver multiple ransomware strains.
• BYOVD to dismantle endpoint protection tools.
• Reliance on open-source tools for stealth and scalability.

The group's usage of the same infrastructure for hosting web shells (like spinstall0.aspx) and facilitating C2 communications underlines the increasing sophistication of modern-day cyberattacks.

Storm-2603's operations reveal a dangerous evolution in cybercrime, where blurred lines between state-sponsored espionage and profit-driven malware campaigns make attribution, defense, and response significantly more complex.