Backdoor, Ransomware, Loaders: Project AK47 Powers CL-CRI-1040 Intrusions

A financially motivated threat cluster tracked as CL-CRI-1040 has been observed exploiting SharePoint vulnerabilities using a custom toolset named Project AK47, according to research by Unit 42. The actor has been active since at least March 2025 and was previously associated with LockBit 3.0 operations before being linked to a double-extortion leak site known as Warlock Client. Unit 42’s assessment states: “CL-CRI-1040 was formerly identified as activity from a LockBit 3.0 affiliate and has recently been linked to a double-extortion site operating under the name Warlock Client.” Overlaps in network and host-based artifacts confirm that this activity matches Microsoft’s Storm-2603 cluster. While Microsoft attributes Storm-2603 to China, Unit 42 has not made a definitive nation-state attribution but notes use of tooling commonly found in Chinese-speaking threat communities.

The exploitation route centers around vulnerabilities in Microsoft SharePoint (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771), which were used as part of an exploit chain referred to as ToolShell. CL-CRI-1040 deploys Project AK47 after gaining access, a modular toolset that includes a custom multi-protocol backdoor named AK47C2, ransomware identified as AK47/X2ANYLOCK, and a set of DLL sideloading loaders. The AK47C2 backdoor supports DNS and HTTP command and control communication via components called dnsclient and httpclient. Unit 42 observed consistent encryption techniques and hardcoded XOR keys across samples, indicating a cohesive and purpose-built toolchain. Evidence suggests the backdoors can execute arbitrary commands, manage sleep intervals, and exfiltrate data via encoded subdomains or HTTP bodies.

The ransomware component, AK47/X2ANYLOCK, first observed in early April 2025, includes typical ransomware functions like terminating processes, enumerating drives, encrypting data with hybrid cryptography, and deploying ransom notes. One early version only dropped ransom notes without performing encryption, likely a prototype build. Unit 42 also identified loaders in the toolset designed to abuse DLL sideloading via legitimate executables. Notably, within an archive labeled Evidencia.rar, researchers found Project AK47 components alongside hacking tools and a dropper for LockBit 3.0 ransomware. This included indicators of overlap with LockBit infrastructure, such as a shared Tox ID appearing in LockBit’s leaked database under the username “wlteaml,” believed to reference “Warlock Team LockBit.”

While Unit 42 could not conclusively confirm a relationship between AK47 and Warlock ransomware, they noted the same Tox ID was used for victim negotiation on the Warlock Client Leaked Data Show leak site. That site, which became inaccessible in late July, aligns with the same actor behind CL-CRI-1040. Despite the financial motivations evidenced through LockBit and Warlock connections, Unit 42 acknowledged the presence of these operations in reports that include espionage-linked activity, making the broader intent of CL-CRI-1040 ambiguous. Unit 42 concludes: “Based on our analysis of host and network-based artifacts, we assess with high confidence that Storm-2603 is identical to the activity cluster that we track as CL-CRI-1040.”