Chinese Hackers Exploit SharePoint Flaws to Deploy Backdoors, Ransomware, and Loaders

Unit 42 researchers have identified significant overlaps between Microsoft’s reported ToolShell exploit chain targeting SharePoint vulnerabilities and a tracked activity cluster dubbed CL-CRI-1040.

This cluster, active since at least March 2025, deploys a custom malware suite named Project AK47, comprising multi-protocol backdoors, ransomware, and DLL side-loading loaders.

Microsoft’s analysis attributes the activity to Storm-2603, a suspected China-based threat actor, with high-confidence links established through host- and network-based artifacts.

Overlaps in Threat Activity

CL-CRI-1040’s financially motivated operations include prior associations with LockBit 3.0 affiliates and the Warlock Client double-extortion site, though espionage ties cannot be ruled out due to concurrent actor involvement.

Retrospective analysis reveals deployment of an IIS backdoor commonly misused in Chinese-speaking communities, further suggesting a potential Chinese nexus, while evidence like shared Tox IDs ties it to ransomware campaigns.

Project AK47, named after recurring PDB filepaths, encompasses sub-projects like AK47C2 a backdoor supporting DNS and HTTP protocols via dnsclient and httpclient components and AK47 ransomware, publicly known as X2ANYLOCK due to its .x2anylock file extension.

A Versatile Malware Arsenal

The dnsclient evolves across versions: early 202503 iterations use XOR-encoded JSON over subdomains like update.updatemicfosoft[.]com, fragmenting data to bypass DNS query limits, while 202504 simplifies to non-JSON formats with session keys for reliable command execution and result exfiltration.

Httpclient mirrors this with curl-based HTTP POSTs of encoded JSON payloads. The ransomware employs AES-RSA hybrid encryption, terminates processes, enumerates drives, and drops notes with a consistent Tox ID for negotiations.

According to the Unit42 report, it features evasion via timestamp checks on specific objects, self-terminating post-June 6, 2026. Loaders abuse DLL side-loading with legitimate executables like 7z.exe to invoke ransomware entrypoints.

Additional tools in archives, including PyPyKatz, SharpHostInfo, Masscan, and PsExec, indicate a broad hacking toolkit, with LockBit 3.0 droppers confirming affiliate links.

CL-CRI-1040’s shift from LockBit 3.0 to Warlock Client operations, evidenced by leaked databases and shared Tox IDs, underscores its financial motivations, though Microsoft’s Storm-2603 report notes prior Warlock ransomware deployments without direct binary overlaps.

The ToolShell chain exploits CVEs like CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 to deliver these payloads.

Palo Alto Networks protections, including Advanced WildFire for malware analysis, Advanced URL Filtering and DNS Security for malicious domains, and Cortex XDR/XSIAM for endpoint defense, mitigate these threats.

This evolving cluster highlights complex actor collaborations, blending cybercrime with potential state-sponsored elements.

Indicators of Compromise

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free