CL-CRI-1040 Threat Clusters Use of Project AK47 Tool in SharePoint Vulnerability Attacks

In August 2025, Palo Alto Networks’ Unit 42 identified Project AK47, a sophisticated malware toolkit linked to the CL-CRI-1040 threat cluster. This group is exploiting multiple critical SharePoint vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) through the ToolShell exploit chain, with strong operational overlap with the China-linked Storm-2603 actor described in Microsoft’s reporting. Project AK47’s arsenal includes multi-protocol backdoors, custom ransomware, and DLL side-loading techniques, alongside ties to LockBit 3.0 and possibly Warlock Client ransomware.

Severity Level: High

Threat Overview

• Threat Actor
  • CL-CRI-1040, highly likely the same as Storm-2603 from Microsoft’s reporting.
  • Suspected ties to LockBit 3.0 affiliate (“wlteaml”) and Warlock Client leak site.
• Campaign Scale
  • Active since at least March 2025.
  • Targeting organizations with exposed SharePoint servers globally.
• Primary Motivations
  • Financial gain via double extortion ransomware attacks and potential espionage cooperation.
• Exploitation Path
  • Exploits unpatched SharePoint flaws via ToolShell
  • Drops AK47C2 backdoor (DNS/HTTP C2) → AK47/X2ANYLOCK ransomware → Data exfiltration & extortion.
• Key Malware Components:
  • AK47C2 Backdoor – DNS (dnsclient) and HTTP (httpclient) variants, with XOR-encoded JSON communications and fragmentation to bypass DNS length limits.
  • AK47/X2ANYLOCK Ransomware – AES + RSA encryption, .x2anylock extension, embedded ransom notes with static Tox ID.
  • Loaders – DLL side-loading via legitimate executables (e.g., 7z.exe) to launch ransomware payloads.
  • Additional Tools – masscan, PsExec, PyPyKatz, SharpAdidnsdump.

Recommendations

1. Apply Microsoft security patches for CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 immediately.
2. Disable or restrict remote access to SharePoint admin interfaces.
3. Monitor for execution of tools like masscan, SharpAdidnsdump, and PyPyKatz.
4. Educate employees about phishing and social engineering attacks, which are often used to deliver the initial payload in exploit chains like the one observed in Project AK47.
5. Enforce strict access controls on collaboration platforms.
6. Monitor for dropped ransom notes (“How to decrypt my data.txt”) and .x2anylock file extensions.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/5b3a5de3b3330259a486b5cf04ed111d5b4ca2a4b9431d881fb85f43872fef1f/iocs

Source:

• https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.