Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks

Aug. 6, 2025, 9:06 a.m.

Description

Unit 42 has identified significant overlaps between Microsoft's reported ToolShell activity and a threat cluster they track as CL-CRI-1040. This cluster utilizes a tool set called Project AK47, which includes a multi-protocol backdoor, custom ransomware, and loaders. The activity is linked to the exploitation of recent SharePoint vulnerabilities and is believed to be financially motivated. CL-CRI-1040 was previously associated with LockBit 3.0 and is now connected to a double-extortion site called Warlock Client. The analysis reveals a complex threat landscape with potential ties to both cybercriminal and nation-state actors.

External References

https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/
https://otx.alienvault.com/pulse/68930f15831806a6887354c8
Tags
backdoor
ransomware
lockbit
lockbit 3.0
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
warlock
2025-08-06
warlock client
ak47 ransomware
x2anylock
project ak47
ak47c2

Date

  • Created: Aug. 6, 2025, 8:15 a.m.
  • Published: Aug. 6, 2025, 8:15 a.m.
  • Modified: Aug. 6, 2025, 9:06 a.m.

Indicators

  • f185c91e62ca38494d7f125492058028028769a86ed169bd2fb051e43fd9fb70
  • e7a7cd756dfeacbdc8caa0d431f9192cb10d62da119b138fca65276ff4ab6958
  • a919844f8f5e6655fd465be0cc0223946807dd324fcfe4ee93e9f0e6d607061e
  • 7e9632ab1898c47c46d68b66c3a987a0e28052f3b59d51c16a8e8bb11e386ce8
  • 79bef5da8af21f97e8d4e609389c28e0646ef81a6944e329330c716e19f33c73
  • 7638069eeccf3cd7026723d794a7fd181c9fe02cecc1d1a98cf79b8228132ef5
  • 6f6db63ece791c6dc1054f1e1231b5bbcf6c051a49bad0784569271753e24619
  • 5cc047a9c5bb2aa6a9581942b9d2d185815aefea06296c8195ca2f18f2680b3e
  • 4147a1c7084357463b35071eab6f4525a94476b40336ebbf8a4e54eb9b51917f
  • 1d85b18034dc6c2e9d1f7c982a39ca0d4209eb6c48ace89014924eae6532e6bc
  • f711b14efb7792033b7ac954ebcfaec8141eb0abafef9c17e769ff96e8fecdf3
  • f01675f9ca00da067bdb1812bf829f09ccf5658b87d3326d6fddd773df352574
  • dbf5ee8d232ebce4cd25c0574d3a1ab3aa7c9caf9709047a6790e94d810377de
  • d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d
  • ceec1a2df81905f68c7ebe986e378fec0805aebdc13de09a4033be48ba66da8b
  • c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94
  • b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0
  • abb0fa128d3a75e69b59fe0391c1158eb84a799ddb0abc55d2d6be3511ef0ea1
  • 7c31d43b30bda3a891f0332ee5b1cf610cdc9ecf772cea9b073ac905d886990d
  • 55a246576af6f6212c26ef78be5dd8f83e78dd45aea97bb505d8cee1aeef6f17
  • 3b013d5aec75bf8aab2423d0f56605c3860a8fbd4f343089a9a8813b15ecc550
  • 257fed1516ae5fe1b63eae55389e8464f47172154297496e6f4ef13c19a26505
  • 1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192
  • 0f4b0d65468fe3e5c8fb4bb07ed75d4762e722a60136e377bdad7ef06d9d7c22
  • 24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf
  • 011b31d7e12a2403507a71deb33335d0e81f626d08ff68575a298edac45df4cb
  • update.updatemicfosoft.com
Download all indicators here!

Attack Patterns

  • X2ANYLOCK
  • AK47 ransomware
  • AK47C2
  • Warlock
  • LockBit 3.0
  • Storm-2603

Linked vulnerabilities

CVE-2024-1182

7.0
    GENESIS64
    MC Works64
Published: July 4, 2024

CVE-2024-53870

3.3
    NVIDIA CUDA Toolkit
Published: February 25, 2025

CVE-2024-7587

7.8
    Iconics
  • Genesis64
    Mitsubishielectric
Published: October 22, 2024

CVE-2024-8299

7.8
    GENESIS64
    MC Works64
Published: November 28, 2024

CVE-2025-0282

9.0
    Ivanti
  • Connect Secure
  • Neurons For Zero-Trust Access
  • Policy Secure
Published: January 8, 2025

CVE-2025-0283

7.0
    Ivanti
  • Connect Secure
  • Neurons For Zero-Trust Access
  • Policy Secure
Published: January 8, 2025

CVE-2025-31324

10.0
    Sap
  • Sap Netweaver Visual Composer
Published: April 24, 2025

CVE-2025-49704

None
Published:

CVE-2025-49706

None
Published:

CVE-2025-53770

9.8
    Microsoft
  • Sharepoint Server
Published: July 20, 2025

CVE-2025-53771

7.1
    Microsoft
  • Office Sharepoint
Published: July 20, 2025