The AK47 Project: New Report Ties Storm-2603 to LockBit and Warlock Ransomware, SharePoint Exploits

In a revelation, Unit 42 has exposed a financially motivated cyber threat actor cluster, dubbed CL-CRI-1040, with dangerous ties to known ransomware operations and links to the Storm-2603 actor previously highlighted by Microsoft. The group’s powerful toolset, ominously named Project AK47, has been wreaking havoc since at least March 2025, exploiting critical Microsoft SharePoint vulnerabilities to plant custom backdoors and ransomware in victim systems.

At the core of Unit 42’s analysis lies the recognition that CL-CRI-1040 is likely the same group Microsoft tracked as Storm-2603, a suspected China-based threat actor. “Based on our analysis of host and network-based artifacts, we assess with high confidence that Storm-2603 is identical to the activity cluster that we track as CL-CRI-1040,” the report states.

The cluster’s campaign has exploited a series of SharePoint vulnerabilities:

• CVE-2025-49704
• CVE-2025-49706
• CVE-2025-53770
• CVE-2025-53771

Using an exploit chain dubbed ToolShell, the threat actors deployed malware that combines stealth, persistence, and encryption in a trifecta of destructive capability.

Project AK47 isn’t your average malware toolkit. It’s a sophisticated ecosystem of components designed for command-and-control (C2), data theft, and encryption extortion. The package includes:

• AK47C2: A multi-protocol backdoor with DNS and HTTP variants (dnsclient and httpclient)
• X2ANYLOCK Ransomware: Also known as AK47 ransomware, capable of encrypting files and evading detection with time-stamped kill switches
• DLL Side-loaders: Malware loaders designed to hijack legitimate executables like 7z.exe and launch malicious DLLs

“Project AK47 is a collection of malware used in CL-CRI-1040 that has likely been under development since at least March 2025,” Unit 42 noted.

The backdoor variants are particularly insidious. For example, dnsclient communicates with its C2 server by encoding JSON commands into DNS queries, cleverly sidestepping traditional network detection systems. Meanwhile, httpclient uses POST requests with encoded payloads, abusing CURL for seamless communication.

The AK47 ransomware encrypts files using AES and RSA algorithms, targeting drives and shares while skipping select directories. It then drops classic ransom notes containing a Tox ID for victim communication. But what’s more interesting is that this Tox ID overlaps with Warlock Client, a ransomware group operating a dark web leak site known as the “Warlock Client Leaked Data Show.”

Although Microsoft previously connected Storm-2603 to Warlock ransomware, Unit 42 warns:

“We cannot conclusively determine the relationship between these two ransomware families.”

Yet, one detail emerged: the Tox ID found in AK47 ransomware matches the ID listed in leaked LockBit 3.0 affiliate databases. The user wlteaml, tied to that ID, was registered just days before a LockBit ransomware sample surfaced on VirusTotal—raising suspicions of shared infrastructure or personnel.

Unit 42’s forensic investigation uncovered a RAR archive named Evidencia.rar, potentially taken from a victim’s system. It contained:

• AK47 ransomware components
• Hacking tools like PyPyKatz, Masscan, and SharpHostInfo
• LockBit 3.0 dropper files, including bbb.msi, capable of DLL hollowing

“The inclusion of the LockBit 3.0 instance in the same archive as Project AK47 components does not seem to be a mere coincidence,” analysts concluded.

Despite Microsoft asserting Storm-2603’s Chinese origin, Unit 42 cautiously stops short of state attribution. “We do not have enough direct evidence to confidently attribute CL-CRI-1040 to any nation-state,” the report clarifies. However, the use of backdoors popular among Chinese-speaking threat actors hints at possible overlaps or shared tooling.

More concretely, the cluster is financially driven. “Our investigation of CL-CRI-1040 attacks revealed evidence of previous ransomware activities, including LockBit 3.0 and Warlock Client ransomware,” Unit 42 added.

Related Posts:

• Storm-2603: Chinese APT Deploys Warlock & LockBit with AK47C2 Framework
• Microsoft: China-Backed APTs Actively Exploiting SharePoint Flaws (CVE-2025-49704 & CVE-2025-49706)
• Microsoft’s September Patch Tuesday: A Patchwork of Urgency with 4 Zero-Days Under Attack
• LockBit 4.0: A Deep Dive into the Evolving Ransomware
• LockBit Ransomware Evolves: New Stealthy Tactics Use DLL Sideloading & Masquerading to Bypass Defenses