ToolShell exploitation linked to financially motivated group's significant involvement
A financially motivated cybercriminal cluster, known as CL-CRI-1040, has been actively exploiting Microsoft SharePoint vulnerabilities since at least March 2025. This group, which has been linked to the China-based threat actor Storm-2603, operates a custom toolset called Project AK47.
The toolset includes an advanced multi-protocol backdoor (AK47 C2), ransomware (AK47 or X2ANYLOCK), and loaders using DLL side-loading. CL-CRI-1040 has been associated with LockBit 3.0 affiliates in the past and currently runs a double-extortion data leak site called Warlock Client Leaked Data Show.
Exploitation of SharePoint Vulnerabilities
CL-CRI-1040 exploits multiple critical recently disclosed vulnerabilities in on-premises SharePoint servers, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771.
Attack Techniques
The group uses a dynamic approach, shifting payload delivery methods between .NET modules and web shells to evade detection. They conduct reconnaissance on SharePoint servers and leverage stealthy command and control (C2) channels, including DNS TXT record exfiltration and HTTP POST, for data theft and payload delivery.
Financial Motivation with Possible Espionage Elements
While the core motive appears financial, given LockBit 3.0 ties and ransomware activities, CL-CRI-1040 has operated alongside espionage-focused groups, introducing ambiguity regarding potential nation-state collaboration or motivation. The cluster uses a Chinese-language IIS backdoor common in Chinese hacking communities, reinforcing a potential China nexus.
Connection to LockBit 3.0 and Warlock Ransomware
CL-CRI-1040 formerly affiliated with LockBit 3.0 affiliates, now operates its own leak site “Warlock Client,” but there is no conclusive evidence that Warlock ransomware and AK47 ransomware are the same strain.
Nation-State Links
Microsoft assesses Storm-2603 as China-based. However, direct attribution of CL-CRI-1040 to any nation-state remains unconfirmed. The cluster's techniques and artifacts partially overlap with espionage groups like Linen Typhoon and Violet Typhoon, though clear operational links to these nation-state groups have not been established in the current intelligence.
Impact on U.S. Organisations
Several federal agencies in the U.S., including the Department of Energy, the Department of Homeland Security, and the Department of Health and Human Services, were impacted by the hacking campaign. However, the vast majority of the targeted organisations have not disclosed any specific impacts from the campaign.
Mitigations
Recommended mitigations include patching vulnerable SharePoint servers, enforcing multi-factor authentication (MFA), minimising privileges, network monitoring for indicators of compromise, and user education on phishing and social engineering.
In summary, CL-CRI-1040 is a financially motivated, sophisticated cybercriminal cluster exploiting ToolShell SharePoint vulnerabilities, closely tied to Storm-2603 and LockBit 3.0 affiliates, with potential but unconfirmed links to Chinese nation-state espionage groups like Linen Typhoon and Violet Typhoon. Security researchers have confirmed at least 300 cases of compromise worldwide due to this threat activity, making it one of the most serious threat activities facing the United States in recent years. The ransomware associated with this threat cluster, known as AK47 or X2ANYLOCK, has been in use since April and is capable of terminating several applications, encrypting specific files, and dropping ransom notes.
- The exploitation of SharePoint vulnerabilities by CL-CRI-1040, a financially motivated cybercriminal cluster, poses a significant threat to businesses and organizations, especially in the United States, given that several federal agencies have been impacted.
- The ransomware associated with CL-CRI-1040, known as AK47 or X2ANYLOCK, is advanced and capable of terminating several applications, encrypting specific files, and dropping ransom notes, highlighting the need for robust cybersecurity measures.
- Cybersecurity researchers have identified that CL-CRI-1040's activities demonstrate a level of sophistication, with the cluster's techniques and artifacts partially overlapping with espionage groups, raising questions about potential nation-state collaboration or motivation, despite Microsoft's assessment of Storm-2603 as China-based.
