AK47C2
AK47C2 is a custom multi-protocol command-and-control backdoor/framework associated with Storm-2603, which Palo Alto Networks Unit 42 tracks as CL-CRI-1040. It is part of the actor’s broader “Project AK47” toolset, which also includes AK47/X2ANYLOCK ransomware and DLL side-loading loaders. Reporting describes AK47C2 as including DNS- and HTTP-based variants, referred to as ak47dns/dnsclient and ak47http/httpclient. The malware supports setting sleep duration and executing arbitrary commands.
AK47C2 has been observed in campaigns exploiting Microsoft SharePoint vulnerabilities CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 via the ToolShell exploit chain. Microsoft indicators showed attackers deploying both dnsclient and httpclient as payloads following exploitation. Storm-2603 has been described as financially motivated and linked to ransomware operations involving Warlock, LockBit, and AK47/Anylock/X2ANYLOCK.
The DNS variant was under development since at least early March 2025. An early build (version 202503) was packed with UPX, used a private DNS server IP 10.7.66[.]10, XOR-encoded JSON with the hard-coded key VHBD@H, hex-encoded the result, and sent it as subdomains to update.updatemicfosoft[.]com. It received commands via DNS TXT records and returned execution results using the same encoding scheme. Later reporting states Storm-2603 used a DNS tunneling client called ak47dns to hide C2 traffic in DNS TXT and MG record lookups to update.micfosoft[.]com, fragmenting larger payloads into 63-byte DNS query segments. In early April 2025, the DNS protocol was updated (version 202504) to remove JSON and use a session-key-based task format.
The HTTP variant has been under development since at least late March 2025 and uses HTTP POST with curl for command-and-control communications. Across reporting, AK47C2 is consistently described as a custom C2 framework used by Storm-2603 in ransomware intrusions, often alongside DLL sideloading and post-exploitation activity.
Related artifacts and infrastructure directly mentioned in the content include update.updatemicfosoft[.]com, update.micfosoft[.]com, the hard-coded XOR key VHBD@H, and the private DNS server IP 10.7.66[.]10.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Another feature of its attacks was the use of a custom command and control (C&C) framework that appeared to be called ak47c2 by the attackers themselves."
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom C2 framework used by Storm-2603, supporting HTTP and DNS tunneling for command and control communications.
Custom command-and-control framework used by Storm-2603/CL-CRI-1040 in intrusions associated with Warlock/Anylock ransomware deployment; part of a broader toolkit including backdoors and loaders delivered via DLL sideloading.
Custom multi-protocol backdoor used by CL-CRI-1040/Storm-2603. Implements DNS- and HTTP-based C2 (dnsclient/httpclient), uses XOR-encoding and hex-encoding of messages, supports setting sleep duration (in later variants) and arbitrary command execution, and returns execution output to C2.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.