Cybersecurity researchers from Palo Alto Networks’ Unit 42 and Microsoft have linked recent attacks on Microsoft SharePoint servers to a sophisticated China-based threat actor exploiting zero-day vulnerabilities with a toolset featuring advanced backdoors, custom ransomware, and stealthy loaders.
Storm-2603 and CL-CRI-1040: A Threat Unveiled
In July 2025, Microsoft released an in-depth analysis of attacks leveraging critical vulnerabilities in SharePoint, attributed to a suspected China-based group codenamed Storm-2603.
Unit 42, tracking this same activity cluster as CL-CRI-1040 since March 2025, revealed substantial technical overlaps in host and network artifacts, cementing a high-confidence link between the two groups.
The SharePoint vulnerabilities exploited—CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771—enabled attackers to unleash a sophisticated exploit chain known as ToolShell.
This chain facilitates the deployment of a custom malware suite dubbed Project AK47, containing unique backdoors (AK47C2), ransomware (AK47/X2ANYLOCK), and DLL side-loading loaders.
The Project AK47 Arsenal: Technical Breakdown
Project AK47 is a modular malware framework that has been under active development since at least March 2025. Its core module, AK47C2, is a multi-protocol backdoor supporting both DNS– and HTTP-based command-and-control (C2) communication.
The DNS variant fragments and encodes C2 communications using XOR-encrypted JSON or custom obfuscation algorithms, ensuring stealthy network presence. The HTTP variant employs encrypted JSON payloads delivered via POST requests using the curl library.
The ransomware component, publicly referred to as X2ANYLOCK, is designed to enumerate network resources, terminate processes, and encrypt a wide range of file types using stacked AES and RSA encryption.
Notably, the ransomware embeds unique identifiers for each victim and utilizes the encrypted communication platform Tox for negotiations, a technique observed across several recent ransomware campaigns.
For stealth and persistence, attackers deploy their payloads using DLL side-loading, leveraging legitimate executables (such as 7z.exe) to load malicious DLLs. This evasion method helps bypass signature-based defenses.
Artifacts recovered from victim machines indicate the operational overlap of CL-CRI-1040 with other cybercriminal groups, including LockBit 3.0 affiliates.
Archived evidence even revealed a shared Tox ID between Project AK47’s ransom notes and the Warlock Client double-extortion site, suggesting fluid cooperation or shared tooling within the broader criminal ecosystem.
While Microsoft’s intelligence points to espionage links, Unit 42’s analysis strongly suggests CL-CRI-1040’s primary motivation is financial, given their links to high-profile ransomware brands and the active operation of a data leak site.
Businesses running on-premises SharePoint should prioritize patching and leverage advanced detection capabilities to mitigate the risk of compromise.
Palo Alto Networks and Microsoft continue to share indicators of compromise (IoCs) and mitigation advice with the security community, underscoring the urgent need for collaborative defense against these rapidly evolving, multi-faceted threats.
Indicators of Compromise
| SHA256 Hash | Malware Description |
| ceec1a2df81905f68c7ebe986e378fec0805aebdc13de09a4033be48ba66da8b | AK47C2: dnsclient |
| 24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf | AK47C2: httpclient |
| 1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192 | AK47C2: dnsclient |
| 257fed1516ae5fe1b63eae55389e8464f47172154297496e6f4ef13c19a26505 | AK47C2: dnsclient |
| b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0 | AK47C2: dnsclient |
| c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94 | AK47C2: dnsclient |
| 4147a1c7084357463b35071eab6f4525a94476b40336ebbf8a4e54eb9b51917f | AK47 Ransomware |
_imresizer.jpg?resize=1068,580&ssl=1&description=SharePoint Flaws -){kind=link}