VERY IMPORTANT

Unit 42 has identified significant overlaps between Microsoft's reported ToolShell activity and a threat cluster they track as CL-CRI-1040. This cluster utilizes a tool set called Project AK47, which includes a multi-protocol backdoor, custom ransomware, and loaders. The activity is linked to the exploitation of recent SharePoint vulnerabilities and is believed to be financially motivated. CL-CRI-1040 was previously associated with LockBit 3.0 and is now connected to a double-extortion site called Warlock Client. The analysis reveals a complex threat landscape with potential ties to both cybercriminal and nation-state actors.