SharePoint to Ransomware: ToolShell & AK47C2

Cohesity REDLab has released updates to its threat library in response to activity related to attacks on Microsoft SharePoint servers using malware like Toolshell, Warlock, AK47C2 and others. The attacks were first observed in July 2025, and we are updating the threat library with additional detection capability. Users should closely monitor the ML-based anti-ransomware backup anomalies in Security Center. It is also recommended to use the Threat Scan to scan backup data using the default threat library or custom YARA rules. Users should also run periodic file-hash scans to detect dormant malware in backup data.

Overview 

Threat actors weaponized a cluster of on-premises Microsoft SharePoint flaws (commonly called the ToolShell exploit chain including CVE-2025-49704, CVE-2025-49706 and CVE-2025-53770) to achieve unauthenticated remote code execution against exposed SharePoint servers. In observed campaigns attackers scanned internet-facing SharePoint instances, delivered crafted POST requests that triggered deserialization and spoofing RCEs, and used those RCEs to drop web shells and custom backdoors like AK47C2. From those footholds they harvested keys and credentials, moved laterally with common admin tooling, exfiltrated data, and finally deployed ransomware families like Warlock and AK47-linked ransomware, combining encryption with data extortion.

Kill Chain Working 

Reconnaissance

Attackers began by scanning the Internet for publicly reachable SharePoint services and related management interfaces, fingerprinting versions and installed components to identify servers vulnerable to the ToolShell CVE chain. They probed common SharePoint endpoints with automated tools and crafted banner grabs to gather software versions, enabled features, and reachable paths. This information guided which exploit payloads and request formats would be effective against each host.

Initial access: ToolShell exploitation using CVE chain

Using the reconnaissance results, attackers delivered specially crafted HTTP requests that abused deserialization and request-parsing flaws in SharePoint using CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 chain). This triggered unauthenticated remote code execution and arbitrary file writes. Those exploit requests abused predictable parameter names and malformed payloads to bypass input validation, forcing the web application to execute attacker-supplied code in the context of the web server process.

Foothold & persistence: Web shells and AK47C2 backdoor

Once RCE was achieved the adversary dropped persistent web shells and installed multi-protocol backdoors such as components of the AK47 toolset that provided command-and-control, file staging, and remote interactive access. These implants were placed in web roots or benign-looking plugin directories and often included stealth features such as obfuscated code, randomized filenames, and multi-stage loaders.

Credential access & escalation

With a foothold established, attackers harvested sensitive secrets from the compromised host and network. They read IIS/ASP.NET machineKeys and configuration files to decrypt session tokens, scraped cached credentials from application stores and browsers, and dumped LSASS memory to extract plaintext credentials. They extracted NTLM hashes, and Kerberos tickets using Mimikatz-style techniques. The harvested artifacts were then used to escalate privileges locally and to obtain credentials for higher-privilege accounts and services across the environment.

Lateral movement & discovery

Armed with service and administrative credentials, the attackers moved laterally using built-in administration tools and protocols such as PsExec, SMB, RDP, scheduled tasks, and remote PowerShell to reach additional servers, domain controllers, and backup systems. During this phase they also performed discovery activities like enumerating shares, AD objects, running services, and backup locations to identify high-value targets for a follow-on ransomware deployment.

Exfiltration & staging

Before activating destructive payloads adversaries collected and staged sensitive data for external transfer, compressing and encrypting repositories of documents, databases, and system images. They then exfiltrating them over covert channels like HTTPS to attacker-controlled cloud storage, tunneled DNS, or encrypted C2 channels.

Ransomware deployment & extortion: Warlock / AK47 ransomware

Finally, attackers executed ransomware across discovered targets, deploying file-encryption binaries and lateral-encryption routines that rapidly encrypted shares and. Simultaneously many actors published stolen data on leak sites to pressure victims into paying extortion demands, combining encryption with public data exposure to increase leverage and the overall operational and reputational impact.

Final Remarks

Cohesity’s Anti-Ransomware module deploys inline ML-based techniques to identify new and unknown threats in backup data. The Threat Detection feature lets you scan backup data for known malware signatures, indicators of compromise (IOCs), using both built-in threat feeds and custom YARA rules. This helps ensure that the data recovered from backups is clean and avoids re-infecting production after a breach. It works by integrating curated threat intelligence and anomaly detection into Cohesity data protection platform so that customers can schedule or initiate threat scans over backups, inspect snapshots for malicious or suspicious artifacts, flag or quarantine compromised backups, and then use those evaluations to guide rapid recovery and response.

References 

• CISA: https://www.cisa.gov/news-events/alerts/2025/08/06/cisa-releases-malware-analysis-report-associated-microsoft-sharepoint-vulnerabilities
• MICROSOFT: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704
• PALO ALTO: https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/