A financially motivated threat actor has been involved in a cluster of activity linked to the ToolShell vulnerability in Microsoft SharePoint, researchers at Palo Alto Networks Unit 42 said Tuesday. 

The threat actor has developed a custom tool set that includes ransomware, deployment of a malicious backdoor called AK47C2, and loaders. 

Microsoft in July said the financially motivated actor was the third known entity involved in the exploitation of SharePoint. The threat activity targeting SharePoint was initially linked to China-backed nation-state actors Linen Typhoon and Violet Typhoon. However, Microsoft has also been tracking the financially motivated actor under the name Storm-2603. 

Unit 42 researchers say the financially motivated threat cluster, which it tracks at CL-CRI-1040, has a prior link to a LockBit 3.0 affiliate and has recently been operating a leak site called Warlock Client Leaked Data Show. 

The earliest version of the ransomware, known as AK47 or X2ANYLOCK, goes back to April. The ransomware is able to terminate several applications, encrypt specific files and drop ransom notes.

Researchers admit, however, there could be some level of cooperation between the financially motivated threat activity and the nation-state hackers. 

The SharePoint exploitation has been among the most serious threat activity facing the United States in recent years. 

Several federal agencies in the U.S. were impacted by the hacking campaign, including the Department of Energy, the Department of Homeland Security, and the Department of Health and Human Services.

Security researchers have confirmed at least 300 cases of compromise worldwide, though the vast majority of the targeted organizations have not disclosed any specific impacts.