Storm-2603 AK47 C2 framework buildout and rapid prototype development
Technical Analysis
Summary
Hide ▲
Show ▼
A rapid March-July 2025 buildout of AK47 C2 and repeated ransomware pivots strengthened Storm-2603's intrusion capability and attribution-evasion posture, increasing risk across compromised enterprise environments. The technical findings show how the group moved from infrastructure setup to prototype development, then to fast operational shifts across LockBit, Warlock, and Babuk. The analysis also surfaces OPSEC patterns that help defenders spot the actor’s tooling and packaging workflow. These details matter because they reveal how the group scaled and adapted its offensive infrastructure in weeks rather than months.
Related Happenings
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
China-nexus agentic tools attack campaign targeting Japanese technology and East Asian cybersecurity organizations
Campaign
First: 11.05.2026 16:00
Last: 11.05.2026 16:00
Sources 1
About this happening:
A **China-nexus actor** used **agentic tools** in a targeted attack against a **Japanese technology firm** and an **East Asian cybersecurity platform**, showing how AI-driven orch...
China-nexus agentic tools attack campaign targeting Japanese technology and East Asian cybersecurity organizations
CampaignAbout this happening: A **China-nexus actor** used **agentic tools** in a targeted attack against a **Japanese technology firm** and an **East Asian cybersecurity platform**, showing how AI-driven orch...
Storm-1175 high-velocity exploit campaign
Campaign
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-2603 Velociraptor-abuse ransomware campaign
Campaign
First: 09.10.2025 22:31
Last: 09.10.2025 22:31
Sources 1
How related:
Threat actors are abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks likely orchestrated by Storm-2603 (aka CL-CRI-1040 or Gold Salem), which is known for deploying the Warlock and LockBit ransomware.
About this happening:
The **Storm-2603** campaign abuses **Velociraptor** as an intrusion enabler during **ransomware attacks**, using an outdated **Velociraptor 0.73.4.0** instance vulnerable to **CVE...
Storm-2603 Velociraptor-abuse ransomware campaign
CampaignHow related: Threat actors are abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks likely orchestrated by Storm-2603 (aka CL-CRI-1040 or Gold Salem), which is known for deploying the Warlock and LockBit ransomware.
About this happening: The **Storm-2603** campaign abuses **Velociraptor** as an intrusion enabler during **ransomware attacks**, using an outdated **Velociraptor 0.73.4.0** instance vulnerable to **CVE...
Velociraptor DFIR abuse for ransomware persistence
Malware Activity
First: 09.10.2025 22:31
Last: 09.10.2025 22:31
Sources 1
How related:
It's assessed that the attackers weaponized the on-premises SharePoint vulnerabilities known as ToolShell to obtain initial access and deliver an outdated version of Velociraptor (version 0.73.4.0) that's susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover, per Cisco Talos.
About this happening:
The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...
Velociraptor DFIR abuse for ransomware persistence
Malware ActivityHow related: It's assessed that the attackers weaponized the on-premises SharePoint vulnerabilities known as ToolShell to obtain initial access and deliver an outdated version of Velociraptor (version 0.73.4.0) that's susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover, per Cisco Talos.
About this happening: The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...
Timeline
-
11.10.2025 16:04 2 articles · 7mo ago
Storm-2603 AK47 C2 framework buildout and rapid prototype development
Initial DisclosureIn **March 2025**, **Storm-2603** stood up **AK47 C2** infrastructure and built a first prototype the following month. That early timeline shows the actor moving quickly from setup into working tooling before later ransomware pivots.
Show sources
- Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks — thehackernews.com — 11.10.2025 16:04
- Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks — thehackernews.com — 11.10.2025 16:04