Listen to this Post
A Routine Ransomware Investigation Turns Into a Cybersecurity Nightmare
What began as a seemingly straightforward ransomware response quickly evolved into one of the most revealing cybersecurity investigations of the year. Microsoft’s Digital Crimes and Incident Response Team (DART) initially believed they were dealing with a familiar ransomware operation conducted by the threat group known as Storm-2603. However, as investigators dug deeper into the compromised environment, they discovered something far more alarming.
Instead of a single threat actor carrying out a conventional ransomware campaign, the affected networks had become a battlefield for multiple attackers operating simultaneously. The finding exposes a rapidly evolving reality in modern cybercrime: organizations are no longer facing isolated attacks. Increasingly, networks are becoming targets for several unrelated adversaries at the same time, each pursuing different objectives while unknowingly concealing one another’s activities.
This incident serves as a warning that modern breaches are becoming layered, sophisticated, and significantly harder to detect than traditional cyberattacks.
The Discovery That Changed the Entire Investigation
The investigation initially focused on Storm-2603, a ransomware group already known to security researchers for deploying aggressive extortion tactics. During forensic analysis, responders traced suspicious lateral movement from the originally compromised network into a second organization.
After contacting the second victim, investigators confirmed that Storm-2603 had successfully infiltrated and infected both environments. At first glance, the attack appeared to follow the ransomware group’s established methods.
Yet several forensic indicators failed to align with Storm-2603’s known behavior. Security analysts noticed unusual malware artifacts, custom persistence techniques, and stealth mechanisms that did not fit the ransomware operator’s historical profile.
These anomalies ultimately revealed the presence of a completely separate threat actor operating inside the same network at the same time.
Storm-2603’s Initial Entry Point
The ransomware campaign began with the exploitation of CVE-2025-11371, an unauthenticated Local File Inclusion vulnerability that enabled remote code execution.
Exploiting internet-facing vulnerabilities remains one of the most effective attack vectors because organizations often delay critical security updates. Once Storm-2603 gained access, the attackers established a foothold and began moving throughout the environment.
Rather than deploying obvious malware immediately, the group relied heavily on “Living Off the Land” techniques. These methods abuse legitimate tools already present within a network, making malicious activity appear normal and reducing detection rates.
The attackers deployed Velociraptor, a legitimate digital forensics platform, with SYSTEM-level privileges to map the environment and gather intelligence on internal systems.
Legitimate Tools Became Weapons
One of the most dangerous aspects of this intrusion was the attackers’ extensive use of trusted software.
Storm-2603 leveraged Cloudflare tunneling services to create hidden external communication channels. They also installed Zoho Assist for remote administration and Visual Studio Code to establish SSH-based tunnels into compromised systems.
To traditional security solutions, these applications often appear entirely legitimate because organizations use them every day for administration and development purposes.
This highlights a growing cybersecurity challenge: distinguishing malicious activity from legitimate business operations.
As attackers continue abusing trusted software, security teams can no longer rely solely on signature-based detection methods.
The BYOVD Technique That Disabled Security Defenses
After establishing persistence, Storm-2603 escalated privileges within the environment by creating new domain administrator accounts.
The group then executed a Bring Your Own Vulnerable Driver (BYOVD) attack, a technique that has become increasingly popular among advanced threat actors.
Using the vulnerable NSecKrnl.sys driver, the attackers gained low-level system access capable of manipulating memory and disabling security protections.
BYOVD attacks are particularly dangerous because they exploit legitimately signed drivers. Since these drivers often appear trustworthy to operating systems, they can bypass security controls that would otherwise block malicious code execution.
The success of this tactic demonstrates how attackers continue finding ways around modern endpoint protection platforms.
A Second Threat Actor Was Quietly Hiding in Plain Sight
While Storm-2603 was conducting its ransomware operations, another threat actor was pursuing an entirely different objective.
Unlike the ransomware operators, the second attacker focused on stealth, persistence, and credential theft.
Investigators discovered that this actor had successfully obtained the NTDS.DIT database, one of the most valuable assets inside a Windows Active Directory environment.
This database contains user account information and password hashes, making it a treasure trove for attackers seeking long-term access.
By stealing Active Directory credentials, the threat actor gained the ability to maintain access even if individual systems were cleaned or restored.
Perhaps even more concerning, their activity unintentionally masked Storm-2603’s actions, creating confusion during forensic investigations.
Advanced DLL Sideloading Techniques Enhanced Stealth
Microsoft researchers observed extensive DLL sideloading activity associated with the second threat actor.
DLL sideloading occurs when attackers trick legitimate applications into loading malicious libraries instead of authentic ones.
In this campaign, the attackers proxied ulib.dll through replace.exe while deploying unsigned srvcli.dll payloads to maintain persistence.
Because trusted applications loaded these malicious components, security products were less likely to flag the activity as suspicious.
This approach enabled the attackers to remain hidden inside the network while continuing credential theft and maintaining command-and-control capabilities.
The discovery demonstrates how modern cybercriminals increasingly favor stealth over immediate disruption.
Why Multi-Actor Intrusions Are Becoming More Common
The emergence of multiple independent threat actors inside the same environment reflects a broader shift in the cybercrime ecosystem.
Today’s attackers frequently purchase access from initial access brokers rather than compromising targets themselves. As a result, several unrelated groups may gain entry to the same organization through shared vulnerabilities or stolen credentials.
Ransomware operators, espionage actors, credential thieves, and data brokers can all coexist within a compromised environment without initially realizing others are present.
This convergence creates highly complex incidents where investigators must separate overlapping attack chains and determine which artifacts belong to which threat actor.
Organizations can no longer assume a breach involves only one adversary.
Microsoft’s Recommended Defensive Strategy
Microsoft emphasizes that organizations must adopt a layered defense model to combat increasingly sophisticated attacks.
Critical internet-facing infrastructure should be patched immediately to prevent exploitation of vulnerabilities such as CVE-2025-11371.
High-privilege accounts should be treated as primary attack surfaces and protected through conditional access policies, privileged access management, and continuous monitoring.
Security teams should centralize logs and telemetry through Security Information and Event Management (SIEM) platforms to reconstruct attack timelines more effectively.
Remote administration tools, developer platforms, and tunneling software should be tightly controlled, monitored, and audited.
Finally, organizations should regularly test incident response procedures to ensure rapid containment when breaches occur.
Deep Analysis: Linux, Windows, and Threat Hunting Commands
Modern investigations increasingly depend on deep forensic analysis and threat hunting. Security teams should be familiar with commands that reveal attacker activity before ransomware deployment begins.
Linux Investigation Commands
last lastlog who w ss -tulpn netstat -antp ps aux top journalctl -xe journalctl --since "24 hours ago" find / -perm -4000 2>/dev/null find /tmp -type f crontab -l systemctl list-units --type=service
Windows Investigation Commands
Get-LocalUser
Get-LocalGroupMember Administrators
Get-WinEvent -LogName Security
Get-Process Get-Service net user net localgroup administrators tasklist netstat -ano quser
Active Directory Threat Hunting
Get-ADUser -Filter Get-ADGroupMember "Domain Admins" Get-ADComputer -Filter Get-ADDomain Get-ADForest
Indicators Security Teams Should Watch
Sudden creation of Domain Admin accounts.
Unexpected installation of remote management tools.
Cloudflare tunnel deployments without authorization.
Visual Studio Code running SSH tunnels on servers.
Unsigned DLL files loaded by trusted applications.
NTDS.DIT access attempts.
Driver loading events involving known vulnerable drivers.
Privilege escalation activities outside normal maintenance windows.
These commands and indicators can significantly reduce attacker dwell time and improve visibility into complex multi-stage intrusions.
What Undercode Say:
The Microsoft investigation reveals a major evolution in how cyberattacks unfold across enterprise environments.
For years, incident response teams typically assumed that a breach belonged to a single threat actor executing a unified campaign.
That assumption is becoming increasingly dangerous.
The discovery of multiple adversaries operating simultaneously demonstrates how interconnected the cybercrime ecosystem has become.
Initial access brokers are now effectively acting as wholesalers of compromised access.
Once a vulnerability is exploited, access may be sold, shared, or reused by numerous criminal groups.
This creates a situation where defenders are not fighting one enemy but an entire ecosystem of attackers.
The most concerning aspect is the use of legitimate tools.
Velociraptor, Cloudflare services, Zoho Assist, and Visual Studio Code are trusted applications.
Blocking them outright is often impossible.
Threat actors understand this challenge and are exploiting the trust relationship organizations have with common software.
The BYOVD attack also highlights a growing weakness in endpoint security architecture.
Many organizations continue focusing on malware detection while ignoring vulnerable drivers already present on systems.
Attackers increasingly target these trusted components because they provide direct access to kernel-level functionality.
Another critical lesson is the importance of identity security.
The theft of Active Directory credentials remains one of the fastest ways to compromise an enterprise environment.
Once domain-level access is achieved, traditional endpoint protection becomes significantly less effective.
Organizations should view identities as their most valuable assets.
Continuous authentication monitoring is no longer optional.
Security telemetry centralization is equally important.
Without comprehensive logging, investigators may never discover that multiple threat actors were present simultaneously.
The overlap between ransomware operations and stealth persistence campaigns suggests attackers are becoming more opportunistic.
Some actors focus on monetization through extortion.
Others prioritize persistence and future access.
The coexistence of these objectives increases risk dramatically.
Security teams should also recognize that successful ransomware deployment is often the final stage of a much longer intrusion.
By the time encryption occurs, attackers may have already stolen credentials, extracted sensitive data, and established persistence mechanisms.
This incident reinforces the need for proactive threat hunting.
Waiting for alerts is insufficient.
Organizations must actively search for anomalies, unusual authentication patterns, suspicious DLL loading behavior, and unauthorized tunneling services.
The future of cybersecurity will increasingly revolve around visibility, identity protection, behavioral analytics, and rapid response.
Companies that continue relying solely on perimeter defenses will find themselves increasingly vulnerable.
Microsoft’s findings are not simply about one ransomware group.
They reveal a broader transformation occurring throughout the threat landscape.
Cyberattacks are becoming collaborative, layered, and far more difficult to attribute.
Defenders must evolve just as rapidly as attackers.
Prediction
(+1) Security Platforms Will Become More Identity-Centric 🔐
Organizations will increasingly invest in identity protection, privileged access management, and continuous authentication monitoring. Future security architectures will focus more on protecting credentials than simply detecting malware.
(+1) AI-Powered Threat Correlation Will Improve Detection 🤖
Security vendors will deploy advanced AI systems capable of distinguishing overlapping attack chains and identifying multiple threat actors operating simultaneously within the same environment.
(-1) Multi-Actor Breaches Will Increase 📉
As access brokers continue selling compromised network access, organizations will experience more incidents involving several unrelated threat groups sharing the same foothold.
(-1) Trusted Software Abuse Will Continue Growing ⚠️
Attackers will increasingly exploit legitimate tools, remote administration software, and cloud-based services because they blend naturally into enterprise environments and evade traditional detection systems.
✅ Microsoft’s investigation identified evidence suggesting that multiple threat actors were operating within the same compromised environment, highlighting the growing complexity of modern cyber incidents.
✅ Storm-2603 reportedly exploited CVE-2025-11371 and utilized living-off-the-land techniques, remote administration tools, and vulnerable drivers to expand access and evade defenses.
✅ The recommendation to prioritize patch management, identity security, SIEM visibility, and incident response readiness aligns with widely accepted cybersecurity best practices and reflects current defensive strategies used across enterprise environments.
▶️ Related Video (76% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
