ToolShell Exploitation is being driven by financially motivated groups with one prominent member in the mix.
A financially motivated threat cluster, known as CL-CRI-1040, has been identified by security researchers at Palo Alto Networks Unit 42. This cluster has been linked to the exploitation of recent Microsoft SharePoint vulnerabilities via the ToolShell exploit chain and operates ransomware activities, including the AK47 ransomware and has affiliations with the LockBit 3.0 ransomware group.
The cluster has been active since at least March 2025 and has been tracked by Palo Alto Networks Unit 42. It overlaps with the activity group Microsoft calls Storm-2603, which has exploited SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 through the ToolShell exploit chain.
The AK47 ransomware strain, also known as X2ANYLOCK, is a sophisticated malware that uses a backdoor called AK47 C2. This backdoor supports multiple communication protocols (DNS and HTTP) and allows arbitrary command execution. The ransomware is designed to terminate processes, encrypt files with layered AES and RSA encryption, and perform network enumeration. It employs evasion techniques like DLL side-loading.
CL-CRI-1040 formerly had operational ties to a LockBit 3.0 affiliate. Although exact overlap between AK47 ransomware and Warlock ransomware has not been conclusively established, these connections indicate that CL-CRI-1040 operates within or alongside notable ransomware ecosystems.
The leak site operated by CL-CRI-1040, Warlock Client Leaked Data Show, is part of a double-extortion scheme where victim data is exfiltrated and threatened to be leaked publicly to pressure ransom payment.
While Microsoft has linked Storm-2603 to a China-based threat actor with potential espionage motives, Unit 42 assesses CL-CRI-1040 as financially motivated given its ransomware and leak site operations. However, some cooperation or overlap with nation-state actors cannot be ruled out.
The SharePoint vulnerabilities exploited by this cluster have impacted numerous high-profile targets, including several U.S. federal agencies. The campaign has been described as a serious threat to information security globally.
The earliest version of the ransomware associated with this threat cluster, known as AK47 or X2ANYLOCK, dates back to April. Several federal agencies in the U.S., including the Department of Energy, the Department of Homeland Security, and the Department of Health and Human Services, were impacted by the hacking campaign. The ransomware has been linked to a specific version, AK47C2.
In summary, CL-CRI-1040 is a financially motivated cybercriminal cluster that exploits SharePoint vulnerabilities using ToolShell, deploys the AK47 ransomware, maintains links to LockBit 3.0 affiliates, and runs the Warlock data leakage site, with possible overlap between espionage and criminal activities. The threat activity targeting SharePoint is among the most serious threat activities facing the United States in recent years.
- The financially motivated cybercriminal cluster, CL-CRI-1040, operates ransomware activities, such as the AK47 ransomware, and maintains links to the LockBit 3.0 ransomware group in the cybersecurity realm.
- The AK47 ransomware, also known as X2ANYLOCK, exploits vulnerabilities in Microsoft SharePoint via the ToolShell exploit chain, posing a serious threat to business and general-news sectors.
- Politically, it's been suggested that Microsoft's Storm-2603 activity group, associated with CL-CRI-1040, may have ties to China-based threat actors with espionage motives, although CL-CRI-1040's primary focus appears to be finance.
- In technology, the AK47 ransomware uses a backdoor called AK47 C2, employs evasion techniques like DLL side-loading, and is part of a double-extortion scheme involving data leak sites like Warlock Client Leaked Data Show.
