Chinese Hackers Exploit SharePoint Flaws to Deploy Backdoors, Ransomware, and Loaders

Unit 42 researchers have identified significant overlaps between Microsoft’s reported ToolShell exploit chain targeting SharePoint vulnerabilities and a tracked activity cluster dubbed CL-CRI-1040.

This cluster, active since at least March 2025, deploys a custom malware suite named Project AK47, comprising multi-protocol backdoors, ransomware, and DLL side-loading loaders.

Microsoft’s analysis attributes the activity to Storm-2603, a suspected China-based threat actor, with high-confidence links established through host- and network-based artifacts.

Overlaps in Threat Activity

CL-CRI-1040’s financially motivated operations include prior associations with LockBit 3.0 affiliates and the Warlock Client double-extortion site, though espionage ties cannot be ruled out due to concurrent actor involvement.

Retrospective analysis reveals deployment of an IIS backdoor commonly misused in Chinese-speaking communities, further suggesting a potential Chinese nexus, while evidence like shared Tox IDs ties it to ransomware campaigns.

Project AK47, named after recurring PDB filepaths, encompasses sub-projects ...