Chinese Hackers Exploit SharePoint Flaws in ‘Project AK47’ Campaign

Posted on By Finstein.ai No Comments on Chinese Hackers Exploit SharePoint Flaws in ‘Project AK47’ Campaign

Researchers from Palo Alto Networks Unit 42 have uncovered a state-sponsored Chinese threat actor tracked as Storm-2603 by Microsoft and CL-CRI-1040 by Unit 42 exploiting four critical Microsoft SharePoint vulnerabilities (CVE-2025–49704, CVE-2025–49706, CVE-2025–53770, CVE-2025–53771) to deliver a custom malware suite dubbed Project AK47.

Active since March 2025, the campaign uses the ToolShell exploit chain to gain unauthorized SharePoint access, blending APT tactics with financially motivated ransomware operations. Unit 42 found overlaps with LockBit 3.0 affiliates and the “Warlock Client Leaked Data Show” ransomware group.

Project AK47 includes:

  • AK47C2 backdoor with DNS and HTTP communication variants, supporting encoded JSON commands (XOR key: VHBD@H) and fragmentation for large DNS queries.
  • X2ANYLOCK ransomware, adding .x2anylock extensions and featuring a kill switch disabling it after June 6, 2026.
  • Custom loaders using DLL side-loading to evade detection.

The DNS variant transmits encoded commands as subdomains, with C2 replies via DNS TXT records. The HTTP variant uses POST requests. Both enable arbitrary command execution and sleep control.

Version 202504 of AK47C2 introduced simplified JSON structures and session key verification for better operational security evidence of a well-funded, actively developed toolkit targeting enterprise environments.

The Storm-2603 campaign illustrates how state-aligned cyber actors are increasingly blending espionage-grade tactics with financially motivated operations like ransomware. By chaining multiple SharePoint zero-days into a stealthy malware ecosystem, Project AK47 demonstrates both technical sophistication and sustained development, making it a serious enterprise-level threat. Its hybrid use of DNS and HTTP C2, coupled with evasive loaders and an evolving ransomware component, underscores the need for organizations to treat collaboration platforms as critical attack surfaces. Proactive patching, DNS monitoring, and layered detection capabilities are essential to countering such well-resourced adversaries.

#CyberSecurity #Storm2603 #ProjectAK47 #SharePointVulnerabilities #CVE202549704 #CVE202549706 #CVE202553770 #CVE202553771 #StateSponsoredAttacks #WarlockRansomware #LockBit3 #ThreatIntelligence #APT #Ransomware #DNSC2 #HTTPMalware #Unit42 #MicrosoftSecurity

Source link — https://www.tomshardware.com/tech-industry/cyber-security/microsoft-says-china-based-hackers-exploiting-critical-sharepoint-vulnerabilities-to-deploy-warlock-ransomware-three-china-affiliated-threat-actors-seen-taking-advantage

Cyber

Related Posts

The Blurred Line Between Corporate Management and Malware Cyber
Is Your Proprietary Code the New Ransomware Target Is Your Proprietary Code the New Ransomware Target? Ai
Your Firewall Will Fail. Is Your Recovery Ready? Your Firewall Will Fail. Is Your Recovery Ready? Cyber
Your Firewalls are Perfect, Your Employees are Not. Your Firewalls are Perfect, Your Employees are Not. Cyber
The Login That Lies The Login That Lies Ai
Why Being a “Good Employee” Makes You Easier to Phish. Why Being a “Good Employee” Makes You Easier to Phish. Cyber

Leave a Reply

Your email address will not be published. Required fields are marked *