Storm-2603

Storm-2603 is a threat actor also tracked as GOLD SALEM, CL-CRI-1040, and in some reporting as Warlock Group. Microsoft assesses it with moderate confidence to be a China-based threat actor, though Sophos CTU stated it had insufficient evidence to corroborate that attribution. The actor has been associated with financially motivated ransomware activity and has deployed Warlock ransomware, with reporting also linking it to LockBit and Babuk deployments. Storm-2603 has been observed exploiting multiple on-premises Microsoft SharePoint vulnerabilities, including the 2025 ToolShell exploit chain involving CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771, against internet-facing SharePoint servers. Microsoft reported the actor used these exploits to deploy web shells such as spinstall0.aspx and variants, steal ASP.NET MachineKey material, execute commands via w3wp.exe, run discovery commands, disable security services through registry modifications, establish persistence through web shells, scheduled tasks, and IIS component manipulation, dump credentials from LSASS with Mimikatz, move laterally with PsExec, Impacket, and WMI, and distribute Warlock ransomware via Group Policy Objects. Reporting also states Storm-2603 attempted to steal MachineKeys from SharePoint servers and installed web shells on exposed systems. The actor has also been linked to exploitation of SmarterMail, specifically CVE-2026-23760, to deploy Warlock ransomware. ReliaQuest reported Storm-2603 exploited the authentication bypass to take over servers, reset administrator passwords, and abuse SmarterMail’s built-in Volume Mount feature for high-privilege command execution. In these intrusions, the actor was reported to deploy Velociraptor for persistence and ransomware staging. Additional reporting noted probing related to CVE-2026-24423. Sophos reported GOLD SALEM had compromised networks and deployed Warlock ransomware since March 2025, with victims across North America, Europe, and South America, including small commercial entities, government entities, and large multinational corporations. Insikt Group reported Storm-2603/Gold Salem deployed Warlock, LockBit, and Babuk ransomware against agriculture, government, energy and natural resources, and telecommunications sectors in Latin America and the Caribbean and Asia-Pacific. Mentioned victim sectors also include government, energy, natural resources, telecommunications, and agriculture. Observed tradecraft includes use of ASPX web shells, Golang-based WebSockets backdoors, BYOVD to disable EDR using a vulnerable Baidu Antivirus driver, abuse of Velociraptor to establish a Visual Studio Code network tunnel, and use of legitimate tools for persistence and post-compromise operations. Reporting also links Storm-2603 to active exploitation of SharePoint and SmarterMail infrastructure and describes it as a ransomware-deploying actor distinct from Linen Typhoon and Violet Typhoon.