Chinese cybercriminals are taking advantage of vulnerabilities in SharePoint to launch toolsets that include backdoors, ransomware, and loaders.

A sophisticated Chinese threat actor has been exploiting critical vulnerabilities in Microsoft SharePoint to deploy an advanced malware toolset known as “Project AK47,” as revealed by new research from Palo Alto Networks Unit 42. This campaign, active since at least March 2025, marks a significant escalation in attacks targeting enterprise SharePoint environments through a technique referred to as the ToolShell exploit chain. The threat actor, designated Storm-2603 by Microsoft and tracked as CL-CRI-1040 by Palo Alto Networks, has leveraged four recently disclosed SharePoint vulnerabilities: CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. These vulnerabilities allow attackers to gain unauthorised access to SharePoint servers and deploy their malicious payload arsenal. The campaign illustrates the evolving nature of state-sponsored cybercrime, merging advanced persistent threat tactics with financially motivated ransomware operations.

Palo Alto Networks analysts identified significant overlaps between Microsoft’s reporting on ToolShell activity and their separately tracked threat cluster, leading to the discovery of this sophisticated operation. Compelling evidence links the activity to previous LockBit 3.0 affiliate operations and a newly emerged ransomware group operating under the “Warlock Client Leaked Data Show” brand. The Project AK47 toolset comprises a comprehensive attack framework with multiple interconnected components designed for various phases of the attack lifecycle. This toolset includes the AK47C2 backdoor, which supports multiple communication protocols, including DNS and HTTP variants, as well as custom AK47 ransomware, also known as X2ANYLOCK. The malware employs advanced techniques, such as DLL side-loading, to evade detection and demonstrates sophisticated command and control capabilities through its dual-protocol architecture.