Check Point Research has uncovered sophisticated tactics employed by Storm-2603, a Chinese APT group that leverages legitimate drivers to disable endpoint protection systems while deploying multiple ransomware families simultaneously.
The threat actor, first identified during Microsoft’s investigation into ToolShell SharePoint exploitations, has been actively targeting organizations across Latin America and Asia-Pacific throughout 2025.
Custom “Antivirus Terminator” Weaponizes Legitimate Driver
Storm-2603’s most notable innovation is their “Antivirus Terminator” tool, which exploits the BYOVD (Bring Your Own Vulnerable Driver) technique to neutralize security defenses.
The tool abuses a legitimate, digitally signed driver originally from Antiy Labs’ System In-Depth Analysis Toolkit, renamed from AToolsKrnl64.sys to ServiceMouse.sys.
The malware creates a Windows service called “ServiceMouse” and communicates with the installed driver using specific IO control codes.
The primary function uses control code 0x99000050 to terminate antivirus processes, while additional codes 0x990000D0 and 0x990001D0 enable file deletion and driver uninstallation capabilities.
This approach effectively bypasses traditional endpoint protection by operating at the kernel level with legitimate, signed components that security solutions typically trust.
AK47C2 Framework Enables Persistent Access
According to the report, The threat group employs a custom command-and-control framework dubbed “ak47c2,” featuring both HTTP-based (“ak47http”) and DNS-based (“ak47dns”) communication channels.
The DNS variant uses sophisticated encoding techniques, XOR-encrypting data with the key “VHBD@H” and fragmenting larger payloads into 63-byte segments for DNS TXT record queries to domains like update.updatemicfosoft[.]com.
The HTTP variant follows similar encryption protocols but transmits JSON-formatted commands through POST requests.
Both backdoors execute commands via cmd.exe /c and maintain persistence through randomized session identifiers, making detection and attribution more challenging for security teams.
Multi-Ransomware Deployment Strategy
Storm-2603 distinguishes itself by deploying multiple ransomware families simultaneously, including LockBit Black and Warlock/x2anylock variants.
This multi-strain approach, while uncommon among established groups, increases the likelihood of successful encryption and complicates recovery efforts.
The group leverages DLL hijacking techniques for deployment, using legitimate executables like 7z.exe and clink_x86.exe to side-load malicious libraries.
The attacks also incorporate common open-source tools including masscan for network reconnaissance, PsExec for lateral movement, and nxc for vulnerability exploitation, demonstrating a comprehensive toolkit that combines custom malware with readily available utilities.
This convergence of BYOVD techniques, sophisticated C2 infrastructure, and multi-ransomware deployment represents an evolution in APT tactics that security teams must prepare to counter through enhanced driver validation and behavioral analysis capabilities.
Indicators of Compromise (IOCs)
- updatemicfosoft[.]com
- microsfot[.]org
| Identifier 1 | Identifier 2 | Identifier 3 |
|---|---|---|
| f711b14efb7792033b7ac954ebcfaec8141eb0abafef9c17e769ff96e8fecdf3 | 035998b724044d20d583fffa393907c7fef11ad8b93b4d423ad8cb8e53f248b7 | abb0fa128d3a75e69b59fe0391c1158eb84a799ddb0abc55d2d6be3511ef0ea1 |
| 3b013d5aec75bf8aab2423d0f56605c3860a8fbd4f343089a9a8813b15ecc550 | dbf5ee8d232ebce4cd25c0574d3a1ab3aa7c9caf9709047a6790e94d810377de | 1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192 |
| d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d | 0f4b0d65468fe3e5c8fb4bb07ed75d4762e722a60136e377bdad7ef06d9d7c22 | f01675f9ca00da067bdb1812bf829f09ccf5658b87d3326d6fddd773df352574 |
| 1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192 | 8f58da414ec4cdad2f6ac86c19e0a806886c63cfdf1fbbb5a0713dce8a0164c5 | 24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf |
| aa25646ea17ae33285203c225386304de1fe4155be44bb86deb154b87b47e3fb | b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0 | c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94 |
| eaec6b1b23c4450d1d0a7d409d3f21e8a4a171a9e9b82bb8ef2c05a2f7435e9c | 257fed1516ae5fe1b63eae55389e8464f47172154297496e6f4ef13c19a26505 | ceec1a2df81905f68c7ebe986e378fec0805aebdc13de09a4033be48ba66da8b |
| 55a246576af6f6212c26ef78be5dd8f83e78dd45aea97bb505d8cee1aeef6f17 | aca888bbb300f75d69dd56bc22f87d0ed4e0f6b8ed5421ef26fc3523980b64ad | f06fe1c3e882092a23002bed3e170da7b64e6b4475acdedea1433a874b10afdf |
| 7c31d43b30bda3a891f0332ee5b1cf610cdc9ecf772cea9b073ac905d886990d |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
