Chinese Hackers Exploit SharePoint Flaws in ‘Project AK47’ Campaign

Posted on By Finstein.ai No Comments on Chinese Hackers Exploit SharePoint Flaws in ‘Project AK47’ Campaign

Researchers from Palo Alto Networks Unit 42 have uncovered a state-sponsored Chinese threat actor tracked as Storm-2603 by Microsoft and CL-CRI-1040 by Unit 42 exploiting four critical Microsoft SharePoint vulnerabilities (CVE-2025–49704, CVE-2025–49706, CVE-2025–53770, CVE-2025–53771) to deliver a custom malware suite dubbed Project AK47.

Active since March 2025, the campaign uses the ToolShell exploit chain to gain unauthorized SharePoint access, blending APT tactics with financially motivated ransomware operations. Unit 42 found overlaps with LockBit 3.0 affiliates and the “Warlock Client Leaked Data Show” ransomware group.

Project AK47 includes:

  • AK47C2 backdoor with DNS and HTTP communication variants, supporting encoded JSON commands (XOR key: VHBD@H) and fragmentation for large DNS queries.
  • X2ANYLOCK ransomware, adding .x2anylock extensions and featuring a kill switch disabling it after June 6, 2026.
  • Custom loaders using DLL side-loading to evade detection.

The DNS variant transmits encoded commands as subdomains, with C2 replies via DNS TXT records. The HTTP variant uses POST requests. Both enable arbitrary command execution and sleep control.

Version 202504 of AK47C2 introduced simplified JSON structures and session key verification for better operational security evidence of a well-funded, actively developed toolkit targeting enterprise environments.

The Storm-2603 campaign illustrates how state-aligned cyber actors are increasingly blending espionage-grade tactics with financially motivated operations like ransomware. By chaining multiple SharePoint zero-days into a stealthy malware ecosystem, Project AK47 demonstrates both technical sophistication and sustained development, making it a serious enterprise-level threat. Its hybrid use of DNS and HTTP C2, coupled with evasive loaders and an evolving ransomware component, underscores the need for organizations to treat collaboration platforms as critical attack surfaces. Proactive patching, DNS monitoring, and layered detection capabilities are essential to countering such well-resourced adversaries.

#CyberSecurity #Storm2603 #ProjectAK47 #SharePointVulnerabilities #CVE202549704 #CVE202549706 #CVE202553770 #CVE202553771 #StateSponsoredAttacks #WarlockRansomware #LockBit3 #ThreatIntelligence #APT #Ransomware #DNSC2 #HTTPMalware #Unit42 #MicrosoftSecurity

Source link — https://www.tomshardware.com/tech-industry/cyber-security/microsoft-says-china-based-hackers-exploiting-critical-sharepoint-vulnerabilities-to-deploy-warlock-ransomware-three-china-affiliated-threat-actors-seen-taking-advantage

Hacker

Related Posts

North Korean Hackers Launch NPM Supply Chain Attack Hacker
Vietnamese Hackers Run Global Data Theft Campaign Hacker
Hacktivists Disrupt Russia’s Aeroflot Airline Hacker
Malicious Hackers Exploit SharePoint Zero-Day Hacker

Leave a Reply

Your email address will not be published. Required fields are marked *