In a recent cybersecurity development, Chinese state-sponsored hacking groups have been actively exploiting critical vulnerabilities in Microsoft SharePoint servers to deploy a sophisticated malware suite known as Project AK47. This campaign, operational since at least March 2025, underscores a significant escalation in cyberattacks targeting enterprise SharePoint environments through the ToolShell exploit chain.
Exploitation of SharePoint Vulnerabilities
The threat actors, identified as Storm-2603 by Microsoft and tracked as CL-CRI-1040 by Palo Alto Networks, have been leveraging multiple SharePoint vulnerabilities, including:
– CVE-2025-49704
– CVE-2025-49706
– CVE-2025-53770
– CVE-2025-53771
These vulnerabilities enable unauthorized access to SharePoint servers, allowing attackers to deploy malicious payloads. The campaign highlights the evolving nature of state-sponsored cybercrime, blending advanced persistent threat tactics with financially motivated ransomware operations.
Project AK47: A Comprehensive Malware Suite
Project AK47 represents a multifaceted attack framework comprising several interconnected components designed for various phases of the attack lifecycle:
– AK47C2 Backdoor: This backdoor supports multiple communication protocols, including DNS and HTTP variants, facilitating robust command and control capabilities.
– Custom AK47 Ransomware (X2ANYLOCK): A tailored ransomware variant used to encrypt victim data, demanding ransom payments for decryption keys.
– Loaders Utilizing DLL Side-Loading Techniques: These loaders exploit legitimate processes to execute malicious code, aiding in evading detection mechanisms.
Multi-Protocol Communication Infrastructure
The AK47C2 backdoor exhibits sophisticated command and control functionalities through its dual-protocol architecture:
– DNS Client Component: Communicates with command and control servers by encoding JSON data using XOR encryption with a hardcoded key. The malware transmits this data as subdomains to the C2 domain, fragmenting data across multiple queries when necessary.
– HTTP Client Variant: Utilizes POST requests with encoded data in the HTTP body, sharing functionality with the DNS variant, including configurable sleep durations and arbitrary command execution capabilities.
Implications and Recommendations
The exploitation of these SharePoint vulnerabilities by Chinese state-sponsored actors poses significant risks to organizations worldwide. The deployment of Project AK47 indicates a strategic shift towards more sophisticated and persistent cyber threats.
Recommendations for Organizations:
1. Immediate Patching: Apply the latest security updates provided by Microsoft to address the identified vulnerabilities.
2. Enable Antimalware Scan Interface (AMSI): Configure AMSI in full mode to detect and prevent malicious activities.
3. Rotate ASP.NET Machine Keys: Regularly update machine keys to prevent unauthorized access.
4. Restart Internet Information Services (IIS): Ensure IIS is restarted to apply configuration changes effectively.
5. Deploy Endpoint Detection and Response (EDR) Solutions: Utilize tools like Microsoft Defender for Endpoint to monitor and respond to threats.
By implementing these measures, organizations can enhance their security posture and mitigate the risks associated with these advanced cyber threats.
