Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks

SUMMARY :

Unit 42 has identified significant overlaps between Microsoft's reported ToolShell activity and a threat cluster they track as CL-CRI-1040. This cluster utilizes a tool set called Project AK47, which includes a multi-protocol backdoor, custom ransomware, and loaders. The activity is linked to the exploitation of recent SharePoint vulnerabilities and is believed to be financially motivated. CL-CRI-1040 was previously associated with LockBit 3.0 and is now connected to a double-extortion site called Warlock Client. The analysis reveals a complex threat landscape with potential ties to both cybercriminal and nation-state actors.

OPENCTI LABELS :

backdoor,ransomware,lockbit,lockbit 3.0,sharepoint,cve-2025-53771,cve-2025-53770,toolshell,cve-2025-49704,cve-2025-49706,warlock,warlock client,ak47 ransomware,x2anylock,project ak47,ak47c2


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks