Chinese Hackers Exploit SharePoint Vulnerabilities to Deploy Toolsets Includes Backdoor, Ransomware and Loaders

A sophisticated Chinese threat actor has been exploiting critical vulnerabilities in Microsoft SharePoint to deploy an advanced malware toolset dubbed “Project AK47,” according to new research published by Palo Alto Networks Unit 42.

The campaign, which has been active since at least March 2025, represents a significant escalation in attacks targeting enterprise SharePoint environments through a technique known as the ToolShell exploit chain.

The threat actor, designated Storm-2603 by Microsoft and tracked as CL-CRI-1040 by Palo Alto Networks, has been leveraging four recently disclosed SharePoint vulnerabilities:-

• CVE-2025-49704
• CVE-2025-49706
• CVE-2025-53770
• CVE-2025-53771

These vulnerabilities enable attackers to gain unauthorized access to SharePoint servers and subsequently deploy their malicious payload arsenal.

The campaign demonstrates the evolving nature of state-sponsored cybercrime, blending advanced persistent threat tactics with financially motivated ransomware operations.

Palo Alto Networks analysts identified notable overlaps between Microsoft’s reporting on ToolShell activity and their separately tracked threat cluster, leading to the discovery of this sophisticated operation.

The researchers found compelling evidence linking the activity to previous LockBit 3.0 affiliate operations and a recently emerged ransomware group operating under the “Warlock Client Leaked Data Show” brand.

The Project AK47 toolset represents a comprehensive attack framework consisting of multiple interconnected components designed for different phases of the attack lifecycle.

The toolset includes the AK47C2 backdoor, which supports multiple communication protocols including DNS and HTTP variants, custom AK47 ransomware also known as X2ANYLOCK, and various loaders that abuse DLL side-loading techniques to evade detection.

Multi-Protocol Communication Infrastructure

The AK47C2 backdoor demonstrates sophisticated command and control capabilities through its dual-protocol architecture.

The DNS client component, tracked through its Program Database (PDB) filepath “C:UsersAdministratorDesktopworktoolsak47c2dnsclinet-cdnsclientx64Releasednsclient.pdb,” communicates with command and control servers by encoding JSON data using XOR encryption with the hardcoded key “VHBD@H.”

The malware employs a clever encoding mechanism where it XOR-encodes JSON command data, converts it to hexadecimal strings, and transmits it as subdomains to the C2 domain update.updatemicfosoft[.]com.

When the encoded subdomain exceeds DNS query length limits of 255 bytes, the malware fragments the data across multiple queries, prepending an “s” character to indicate fragmented transmissions.

The C2 server responds through DNS TXT records using the same encoding algorithm.

The HTTP client variant follows a similar communication pattern but utilizes POST requests with encoded data in the HTTP body. Both variants share identical functionality including sleep duration configuration and arbitrary command execution capabilities.

The malware’s developers have continuously refined the communication protocol, with version 202504 simplifying the JSON structure and implementing session key verification for enhanced operational security.

The ransomware component adds .x2anylock extensions to encrypted files and includes a timestamp-based kill switch that terminates execution if the system date is on or after June 6, 2026.

This sophisticated attack framework demonstrates the threat actor’s commitment to developing custom tools rather than relying solely on off-the-shelf malware, indicating a well-resourced operation with significant development capabilities.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial