Project AK47: Uncovering a Link to the SharePoint Vulnerability…

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack reports

Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks

· Published 06/08/2025 08:15 · Modified 06/08/2025 09:06

Share: LinkedIn Facebook Mastodon X

Export JSON

Essential information

Published: 06/08/2025 08:15
Modified: 06/08/2025 09:06
Tags: 2025-08-06 CVE-2025-49704 CVE-2025-49706 CVE-2025-53770 CVE-2025-53771 ak47 ransomware ak47c2 backdoor lockbit lockbit 3.0 project ak47 ransomware sharepoint toolshell warlock warlock client x2anylock
Related entities: 11 vulnerabilities (cve), 27 observables, 1 intrusion sets (apt), 19 techniques (mitre), 5 malware

Description

Unit 42 has identified significant overlaps between Microsoft's reported ToolShell activity and a threat cluster they track as CL-CRI-1040. This cluster utilizes a tool set called Project AK47, which includes a multi-protocol backdoor, custom ransomware, and loaders. The activity is linked to the exploitation of recent SharePoint vulnerabilities and is believed to be financially motivated. CL-CRI-1040 was previously associated with LockBit 3.0 and is now connected to a double-extortion site called Warlock Client. The analysis reveals a complex threat landscape with potential ties to both cybercriminal and nation-state actors.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (11)

CVE-2025-53771

6.5 Medium

Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …

Attack vector: NETWORK
Published: 21/07/2025
Modified: 21/12/2025

Received

CVE-2025-53770 KEV

9.8 Critical

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …

Attack vector: Network
Published: 20/07/2025
Modified: 21/12/2025

Analyzed

CVE-2025-49706 KEV

6.5 Medium

Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2025-49704 KEV

8.8 High

Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2025-31324 KEV

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2024-53870

3.3 Low

NVIDIA CUDA toolkit for all platforms contains a vulnerability in the cuobjdump binary, where a user could cause an out-of-bounds read by …

Attack vector: LOCAL
Published: 25/02/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-0283

7.0 High

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: LOCAL
Published: 09/01/2025
Modified: 21/12/2025

Analyzed

CVE-2025-0282 KEV

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: Network
Published: 08/01/2025
Modified: 21/12/2025

Analyzed

CVE-2024-8299

7.8 High

Uncontrolled Search Path Element vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi …

Attack vector: LOCAL
Complexity: Low
Published: 29/11/2024
Modified: 08/04/2026

CWE-427 Awaiting Analysis

CVE-2024-7587

7.8 High

Incorrect Default Permissions vulnerability in GenBroker32, which is included in the installers for Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric …

Attack vector: Local
Published: 23/10/2024
Modified: 09/01/2026

Analyzed

CVE-2024-1182

7.0 High

Uncontrolled Search Path Element vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi …

Attack vector: LOCAL
Complexity: High
Published: 04/07/2024
Modified: 08/04/2026

CWE-427 Received

Observables (27)

update.updatemicfosoft.com
f185c91e62ca38494d7f125492058028028769a86ed169bd2fb051e43fd9fb70
e7a7cd756dfeacbdc8caa0d431f9192cb10d62da119b138fca65276ff4ab6958
a919844f8f5e6655fd465be0cc0223946807dd324fcfe4ee93e9f0e6d607061e
7e9632ab1898c47c46d68b66c3a987a0e28052f3b59d51c16a8e8bb11e386ce8
79bef5da8af21f97e8d4e609389c28e0646ef81a6944e329330c716e19f33c73
7638069eeccf3cd7026723d794a7fd181c9fe02cecc1d1a98cf79b8228132ef5
6f6db63ece791c6dc1054f1e1231b5bbcf6c051a49bad0784569271753e24619
5cc047a9c5bb2aa6a9581942b9d2d185815aefea06296c8195ca2f18f2680b3e
4147a1c7084357463b35071eab6f4525a94476b40336ebbf8a4e54eb9b51917f
1d85b18034dc6c2e9d1f7c982a39ca0d4209eb6c48ace89014924eae6532e6bc
f711b14efb7792033b7ac954ebcfaec8141eb0abafef9c17e769ff96e8fecdf3

← Previous

Page / 3

1–12 of 27

Storm-2603

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

Techniques (MITRE) (19)

T1569.002

Service Execution MITRE
T1490

Inhibit System Recovery MITRE
T1574.002

MITRE
T1218.011

Rundll32 MITRE
T1021

Remote Services MITRE
T1573

Encrypted Channel MITRE
T1489

Service Stop MITRE
T1486

Data Encrypted for Impact MITRE
T1070

Indicator Removal MITRE
T1071

Application Layer Protocol MITRE
T1055

Process Injection MITRE
T1046

Network Service Discovery MITRE

← Previous

Page / 2

1–12 of 19

X2ANYLOCK

Family
AK47 ransomware

Family
AK47C2

Family
Warlock

Family
LockBit 3.0

Family

External references

https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/
https://otx.alienvault.com/pulse/68930f15831806a6887354c8

Contact About Legal notice Privacy policy Terms of use