Inside Storm-2603: The Ransomware Operator Behind ToolShell’s Shadow

Check Point Research investigated the ransomware operator Storm-2603, linked to the ToolShell exploitation campaign. Storm-2603, active in Latin America and APAC, uses a hybrid approach combining APT and ransomware tactics. The group employs a custom C2 framework, AK47C2, and deploys multiple ransomware strains, including LockBit Black and Warlock, often in tandem.