CISA Releases Thorium Tool as Storm-2603 Deploys Warlock, LockBit Ransomware and 3,000 Microsoft 365 Accounts Breached

The Cybersecurity and Infrastructure Security Agency (CISA) has released Thorium, a free malware analysis and forensic platform designed to support cybersecurity efforts. Concurrently, Chinese-linked hackers identified as the Storm-2603 group have deployed two ransomware strains, Warlock and LockBit Black, utilizing a custom command-and-control (C2) framework named AK47 C2. These attackers have employed sophisticated tactics including hijacking legitimate tools, faking Microsoft domains, disabling antivirus software via a Chinese driver, and deploying a DNS-controlled backdoor. Additionally, hackers have exploited fake Microsoft OAuth applications combined with the Tycoon phishing kit to compromise over 3,000 Microsoft 365 user accounts across 900 organizations by spoofing more than 50 brands such as Adobe, DocuSign, and SharePoint, bypassing multi-factor authentication through adversary-in-the-middle attacks. In related developments, authorities have seized servers belonging to the BlackSuit ransomware gang. Check Point has also analyzed the Chinese advanced persistent threat (APT) group Storm-2603, highlighting ongoing cyber threats from this actor.