Storm-2603 Installs DNS-Controlled Backdoor to Launch Dual Ransomware Attacks Using SharePoint Flaws

A hacking group named Storm-2603 has recently been found exploiting security weaknesses in Microsoft SharePoint servers. Their goal is to break into organizations and deploy ransomware. What’s really concerning is that they’re using a new kind of backdoor that works through DNS, which helps them control infected systems secretly over the internet.

These attacks are made possible by abusing two SharePoint vulnerabilities called CVE-2025-49706 and CVE-2025-49704. Together, these are being called the ToolShell vulnerabilities. Once Storm-2603 finds a vulnerable SharePoint server, they install a file named spinstall0.aspx. This gives them remote access to the system using a web shell, which acts like a hidden doorway into the server.

After breaking in, the attackers steal ASP.NET machine keys to stay in control of the system even if someone tries to kick them out. They also turn off Microsoft Defender protections by changing registry settings and setting up scheduled tasks. This helps their malware avoid being detected by regular security software.

One of the most advanced parts of their operation is a custom tool called dnsclient.exe. This tool is actually a backdoor that uses DNS tunneling to talk to a server controlled by the attackers. It connects to a fake domain that looks like a Microsoft site update.updatemicfosoft[.]com. This allows the hackers to quietly send and receive information without triggering alarms.

Storm-2603 also uses popular hacker tools like Mimikatz to steal usernames and passwords from memory. After that, they move deeper into the victim’s network using tools such as PsExec, Impacket, and WMI. Once they’ve spread far enough inside, they use Group Policy Objects to deploy ransomware to many systems at once.

Interestingly, this group doesn’t rely on just one ransomware family. They have been seen using both Warlock (also known as X2anylock) and LockBit Black. It’s rare to see one group use two types of ransomware in the same attack, which suggests they might be helping other criminal groups or combining multiple campaigns.

These attacks aren’t limited to one part of the world. Organizations in Latin America and the Asia-Pacific region have already been affected. In just five days between July 17 and July 21, 2025 more than 400 companies were hit. These include businesses in sectors like finance, telecom, education, infrastructure, and even government.

Microsoft has confirmed that Storm-2603 is actively using these vulnerabilities. They’ve urged all organizations to install the July 2025 SharePoint security updates immediately. These updates are listed as KB5002768, KB5002754, and KB5002753. Patching these flaws is the first and most important step to staying protected.

Along with patching, Microsoft recommends rotating machine keys, restarting IIS services, and checking logs for unusual behavior. It’s also important to look out for suspicious DNS traffic, unknown PowerShell scripts, and files like dnsclient.exe. These can all be signs that the backdoor or ransomware has been deployed.

These events show that today’s cyberattacks are getting more complex. Storm-2603 is using smart and stealthy techniques to avoid detection, spread quickly, and cause maximum damage. Their mix of DNS-based backdoors, remote access tools, and ransomware delivery proves that even basic-looking vulnerabilities can lead to major security risks if left unpatched.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news