Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks

    Wednesday, August 6, 2025 In: Threat Research Print

    Date: 08/06/2025

    Severity: High

    Summary

    "Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks" details the connection between a threat activity cluster tracked as CL-CRI-1040 and recent exploitation of SharePoint vulnerabilities. This cluster deploys a toolset named Project AK47, which includes a backdoor, ransomware, and loaders. The activity overlaps with Microsoft’s reporting on ToolShell exploitation and is attributed to the suspected China-based threat actor Storm-2603. Analysis of host- and network-based artifacts supports a high-confidence assessment linking Storm-2603 to CL-CRI-1040.

    Indicators of Compromise (IOC) List

    Hash

    ceec1a2df81905f68c7ebe986e378fec0805aebdc13de09a4033be48ba66da8b

    24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf

    1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192

    257fed1516ae5fe1b63eae55389e8464f47172154297496e6f4ef13c19a26505

    b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0

    c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94

    4147a1c7084357463b35071eab6f4525a94476b40336ebbf8a4e54eb9b51917f

    79bef5da8af21f97e8d4e609389c28e0646ef81a6944e329330c716e19f33c73

    55a246576af6f6212c26ef78be5dd8f83e78dd45aea97bb505d8cee1aeef6f17

    a919844f8f5e6655fd465be0cc0223946807dd324fcfe4ee93e9f0e6d607061e

    f711b14efb7792033b7ac954ebcfaec8141eb0abafef9c17e769ff96e8fecdf3

    1d85b18034dc6c2e9d1f7c982a39ca0d4209eb6c48ace89014924eae6532e6bc

    7e9632ab1898c47c46d68b66c3a987a0e28052f3b59d51c16a8e8bb11e386ce8

    7c31d43b30bda3a891f0332ee5b1cf610cdc9ecf772cea9b073ac905d886990d

    0f4b0d65468fe3e5c8fb4bb07ed75d4762e722a60136e377bdad7ef06d9d7c22

    d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d

    abb0fa128d3a75e69b59fe0391c1158eb84a799ddb0abc55d2d6be3511ef0ea1

    5cc047a9c5bb2aa6a9581942b9d2d185815aefea06296c8195ca2f18f2680b3e

    f01675f9ca00da067bdb1812bf829f09ccf5658b87d3326d6fddd773df352574

    edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef

    078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

    dbf5ee8d232ebce4cd25c0574d3a1ab3aa7c9caf9709047a6790e94d810377de

    3b013d5aec75bf8aab2423d0f56605c3860a8fbd4f343089a9a8813b15ecc550

    7638069eeccf3cd7026723d794a7fd181c9fe02cecc1d1a98cf79b8228132ef5

    6f6db63ece791c6dc1054f1e1231b5bbcf6c051a49bad0784569271753e24619

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    sha256hash IN ("c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94","1d85b18034dc6c2e9d1f7c982a39ca0d4209eb6c48ace89014924eae6532e6bc","257fed1516ae5fe1b63eae55389e8464f47172154297496e6f4ef13c19a26505","7c31d43b30bda3a891f0332ee5b1cf610cdc9ecf772cea9b073ac905d886990d","dbf5ee8d232ebce4cd25c0574d3a1ab3aa7c9caf9709047a6790e94d810377de","3b013d5aec75bf8aab2423d0f56605c3860a8fbd4f343089a9a8813b15ecc550","a919844f8f5e6655fd465be0cc0223946807dd324fcfe4ee93e9f0e6d607061e","0f4b0d65468fe3e5c8fb4bb07ed75d4762e722a60136e377bdad7ef06d9d7c22","f711b14efb7792033b7ac954ebcfaec8141eb0abafef9c17e769ff96e8fecdf3","d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d","ceec1a2df81905f68c7ebe986e378fec0805aebdc13de09a4033be48ba66da8b","b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0","55a246576af6f6212c26ef78be5dd8f83e78dd45aea97bb505d8cee1aeef6f17","078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b","edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef","1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192","24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf","abb0fa128d3a75e69b59fe0391c1158eb84a799ddb0abc55d2d6be3511ef0ea1","4147a1c7084357463b35071eab6f4525a94476b40336ebbf8a4e54eb9b51917f","79bef5da8af21f97e8d4e609389c28e0646ef81a6944e329330c716e19f33c73","7e9632ab1898c47c46d68b66c3a987a0e28052f3b59d51c16a8e8bb11e386ce8","5cc047a9c5bb2aa6a9581942b9d2d185815aefea06296c8195ca2f18f2680b3e","f01675f9ca00da067bdb1812bf829f09ccf5658b87d3326d6fddd773df352574","7638069eeccf3cd7026723d794a7fd181c9fe02cecc1d1a98cf79b8228132ef5","6f6db63ece791c6dc1054f1e1231b5bbcf6c051a49bad0784569271753e24619")

    Reference:    

    https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/


    Tags

    MalwareVulnerabilityThreat ActorProject AK47BackdoorRansomwareLoadersSharePointCL-CRI-1040ExploitChinaStorm-2603

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.