Add content from: Project AK47: Uncovering a Link to the SharePoint Vulnerabil...

src/network-services-pentesting/pentesting-web/microsoft-sharepoint.md

@@ -99,6 +99,57 @@ Same shell but:
 * variable names reduced to single letters
 * `Thread.Sleep(<ms>)` added for sandbox-evasion & timing-based AV bypass.
 
+### 3.4 AK47C2 multi-protocol backdoor & X2ANYLOCK ransomware (observed 2025-2026)
+
+Recent incident-response investigations (Unit42 “Project AK47”) show how attackers leverage the ToolShell chain **after initial RCE** to deploy a dual-channel C2 implant and ransomware in SharePoint environments:
+
+#### AK47C2 – `dnsclient` variant
+
+* Hard-coded DNS server: `10.7.66.10` communicating with authoritative domain `update.updatemicfosoft.com`.
+* Messages are JSON objects XOR-encrypted with the static key `VHBD@H`, hex-encoded and embedded as **sub-domain labels**.
+
+  ```json
+  {"cmd":"<COMMAND>","cmd_id":"<ID>"}
+  ```
+
+* Long queries are chunked and prefixed with `s`, then re-assembled server-side.
+* Server replies in TXT records carrying the same XOR/hex scheme:
+
+  ```json
+  {"cmd":"<COMMAND>","cmd_id":"<ID>","type":"result","fqdn":"<HOST>","result":"<OUTPUT>"}
+  ```
+* Version 202504 introduced a simplified format `<COMMAND>::<SESSION_KEY>` and chunk markers `1`, `2`, `a`.
+
+#### AK47C2 – `httpclient` variant
+
+* Re-uses the exact JSON & XOR routine but sends the hex blob in the **HTTP POST body** via `libcurl` (`CURLOPT_POSTFIELDS`, etc.).
+* Same task/result workflow allowing:
+  * Arbitrary shell command execution.
+  * Dynamic sleep interval and kill-switch instructions.
+
+#### X2ANYLOCK ransomware
+
+* 64-bit C++ payload loaded through DLL side-loading (see below).
+* Employs AES-CBC for file data + RSA-2048 to wrap the AES key, then appends the extension `.x2anylock`.
+* Recursively encrypts local drives and discovered SMB shares; skips system paths.
+* Drops clear-text note `How to decrypt my data.txt` embedding a static **Tox ID** for negotiations.
+* Contains an internal **kill-switch**:
+
+  ```c
+  if (file_mod_time >= "2026-06-06") exit(0);
+  ```
+
+#### DLL side-loading chain
+
+1. Attacker writes `dllhijacked.dll`/`My7zdllhijacked.dll` next to a legitimate `7z.exe`.
+2. SharePoint-spawned `w3wp.exe` launches `7z.exe`, which loads the malicious DLL because of Windows search order, invoking the ransomware entrypoint in memory.
+3. A separate LockBit loader observed (`bbb.msi` ➜ `clink_x86.exe` ➜ `clink_dll_x86.dll`) decrypts shell-code and performs **DLL hollowing** into `d3dl1.dll` to run LockBit 3.0.
+
+> [!INFO]
+> The same static Tox ID found in X2ANYLOCK appears in leaked LockBit databases, suggesting affiliate overlap.
+
+---
+
 ## 4. Detection ideas
 
 | Telemetry | Why it is suspicious |
@@ -134,6 +185,7 @@ proc where parent_process_name="w3wp.exe" and process_name in ("cmd.exe","powers
 - [Unit42 – Active Exploitation of Microsoft SharePoint Vulnerabilities](https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/)
 - [GitHub PoC – ToolShell exploit chain](https://github.com/real-or-not/ToolShell)
 - [Microsoft Security Advisory – CVE-2025-49704 / 49706](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-49704)
+- [Unit42 – Project AK47 / SharePoint Exploitation & Ransomware Activity](https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/)
 - [Microsoft Security Advisory – CVE-2025-53770 / 53771](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-53770)
 
 {{#include ../../banners/hacktricks-training.md}}