Two adverts by fashion brand Zara have been banned for featuring models who appeared “unhealthily thin”.
The Advertising Standards Authority (ASA) said shadows and a slick back bun hairstyle made one model appear “gaunt” while the pose and low cut design of a shirt in another image showed the model’s “protruding” collarbones.
The watchdog ruled that the “irresponsible” adverts must not appear again in their current form and that Zara must ensure all its images were “prepared responsibly.”
Zara has removed the adverts and said that both models in question had medical certification proving they were in good health when the pictures were taken.
The two banned adverts previously appeared on the retailer’s app and website in a carousel of images showing clothes on and off models.
One advert was for a short dress and the ASA felt shadows were used to make the models legs look “noticeably thin”.
It also said the positioning of her upper arms and elbow joints made her look “out of proportion.”
‘Protruding collarbones’
Zara
The other banned advert was for a shirt and the model was said to be in a position that made “protruding” collarbones a “focal feature” of the advert.
The ASA investigated two other Zara adverts but neither were banned.
Zara chose to remove all the images flagged and said it had not received any direct complaints.
The retailer told the ASA that none of the images had been modified beyond “very minor lighting and colouring edits”.
It added that it followed recommendations of a report called Fashioning a Healthy Future, which was published in 2007 by the UK Model Health Inquiry.
Zara said it specifically complied with recommendation three of that report which said models “should provide a medical certificate attesting their good health from doctors with expertise in recognising eating disorders.”
It comes after adverts by other retailers were banned earlier this year for models being too thin.
In July, an advert by Marks & Spencer was banned because the model appeared to be “unhealthily thin”.
The ASA said the pose of the model and the choice of clothing – including “large pointed shoes” which emphasised “the slenderness of her legs” – made the advert “irresponsible”.
Earlier this year, fellow retailer Next also had an advert for blue skinny jeans banned.
The ASA said the advert emphasised the thinness of the model’s legs using camera angles, and deemed it “irresponsible”.
Next said it disagreed with the advertising watchdog’s decision and said the model, while slim, had a “healthy and toned physique”.
The Next advert ban left BBC readers asking why adverts showing models who appear unhealthily overweight are not banned.
The Royal Foundation is proud to support the launch of a new film series from the Centre for Early Childhood, designed to illustrate the science behind early social and emotional development.
Based on the Shaping Us Framework, the series explores how experiences from pregnancy to age five shape wellbeing, and how loving, responsive relationships lay the foundation for the social and emotional skills that help us in adulthood.
Created for professionals and volunteers working with families, the animations come with supporting resources to help enable meaningful conversations with parents and carers. They are also available in Welsh and British Sign Language, with hand-drawn linework and papercraft animation to make key concepts feel accessible and engaging.
Her Royal Highness, The Princess of Wales, worked closely with early years practitioners and illustrators from around the world throughout the development of the series, which is now being used by over 20 organisations to support their work with children and families.
Together, these tools aim to deepen public understanding of early childhood and support a healthier, happier society for future generations.
Research shows that up to 20 percent of Americans deal with chronic constipation. If you’re part of that no-sign-up-required club, you’ve probably tried some of the buzzier remedies—drinking coffee, eating prunes, taking a probiotic supplement—in the pursuit of regularity. But if you’re still chasing that perfect “ghost poop,” don’t give up just yet: There are plenty of other doctor-backed tools to try.
We asked gastroenterologists about the habits they recommend for better BMs, and they delivered. Browse easy switches for a happier, healthier gut below.
Our top picks
Owala FreeSip Insulated Stainless Steel Water Bottle, $40
Squatty Potty Simple Bathroom Toilet Stool, $23
Tushy Classic 3.0 Bidet, $129$99
Hatch Restore 3 Sunrise Alarm Clock, $170
WalkingPad C2 Mini Foldable Walking Treadmill, $499$449
Lululemon The Mat, $94
In this article
1. A trusty water bottle
Owala
FreeSip Insulated Stainless Steel Water Bottle
Start by drinking more water (it really is that good for you). “Sound digestion relies heavily on fluid intake,” Carlton Thomas, MD, a board-certified gastroenterologist and host of the Butt Honestly podcast, tells SELF. Staying hydrated helps your mouth make enough saliva—and your body needs saliva to break down the food you eat for better digestion, he says.
“Adequate hydration is also important for stimulating peristaltic waves, which are the muscle contractions that move food along the digestive tract,” Shawn Khodadadian, MD,, a gastroenterologist with Manhattan Gastroenterology in New York, tells SELF. Plus, water helps dissolve nutrients that are essential to digestion, like fiber. Turns out, if you’re not drinking enough fluids, fiber can’t do its job—which means you’re more likely to feel constipated and bloated, he says.
Keeping a water bottle close by can make it easier to stay hydrated all day long, says Dr. Thomas. This Owala one has a wide-mouth opening for taking big swigs and a straw spout for sipping—and almost the entire SELF team can vouch for it. .
We’re also fans of this bottle’s insulation, which can keep H2O at your perfect temperature for hours. Pro tip: Warm and room-temperature water is usually best for encouraging bowel movements because it relaxes your digestive muscles, while cold water can cause them to contract, according to Dr. Thomas. (But the best water is the kind you’ll actually drink.)
2. A simple (but smart) stool
Squatty Potty
Simple Bathroom Toilet Stool
If you have to strain every time you sit, Dr. Khodadadian suggests this iconic stool. Designed to prop up your feet while you poop, the Squatty Potty puts you into alignment for a smoother BM. “The squat position straightens the angle of the anal canal, which creates a more direct pathway for stool to pass through and reduces straining,” he says.
The Simple Squatty Potty, which rings up at around $20, will get the job done. But if you’re not into white plastic, check out the brand’s (slightly pricier) foldable bamboo option.
3. A handy bidet
Put the wipes down. “Butt wipes disrupt the local bacterial flora in your butt—a.k.a. the butt microbiome—and create inflammation,” Dr. Thomas says. Over time, that combo can make it more difficult to go.
To the rescue? A good bidet, which uses a stream of water for a gentle (but thorough) clean. That means less wiping with toilet paper, which can be a game changer—especially if you’re dealing with hemorrhoids or sensitivity down there, he says.
The Tushy Classic 3.0 is favorite among SELF staffers for its price point, easy-to-install design, and deep cleansing effect. (It even won a SELF Healthy Home Award last year.) Also nice is its intuitive dial control, which allows you to tweak the water pressure as needed.
4. A soothing—not scary—alarm clock
Hatch
Restore 3 Sunrise Alarm Clock
“Maintaining consistent waking and sleeping times support your gut clocks, which will improve overall gut function, reduce digestive symptoms, and harmonize your digestive patterns,” says David Clarke, MD, a board-certified gastroenterologist and internal medicine specialist who’s also the president of the Association for the Treatment of Neuroplastic Symptoms (ATNS), a nonprofit organization that’s dedicated to ending chronic pain. TL;DR: Adjusting your sleep schedule can train your body to poop more predictably.
Waking up at the same time every day and getting some sunlight first thing in the A.M. is ideal because it supports your circadian rhythms, but that’s not always realistic, says Dr. Clarke. An alarm clock—especially one placed across the room from your bed, so you can’t hit snooze—can help you stick to a routine, he says.
During the past 20 years, the world economy suffered two major crises – the global financial crisis of 2008-2009 (GFC hereafter) and the pandemic crisis of 2019-2020 (COVID-19 hereafter). The drivers of the two crises are fundamentally different since one was a financial crisis while the other was a public health crisis. The GFC, also known as the Great Recession, was ultimately the result of lax financial supervision, which failed to keep up with questionable financial engineering that sought to maximise yield in a low-interest rate environment. In contrast, COVID-19 generated a pandemic recession (Diebold 2020). Fatás et al. (2020) noted that past recessions have left permanent scars on long-term growth, known as hysteresis, and that proper policies should be put in place to minimise the long-term effects.
A common denominator between the two crises is that both impacted the entire world rather than just one region or one group of countries. In a recent paper (Aizenman et al. 2025), we analyse the patterns of recessions and recoveries of 101 advanced and developing economies, identifying the turning points of recessions and expansions between 1990 and 2022, and perform cross-country analysis of domestic and external drivers of economic recovery. In addition to the standard independent variables, we include institutional development, political stability, the extent of democracy, and trade restrictions indexes, and explore their roles in explaining recessions and recovery patterns.
Two distinct models of economic recessions can be identified. The first, a Hamiltonian recession, is derived from the pioneering work of James Hamilton (Hamilton 1989) and foresees recessions that prevent economies from returning to their pre-crisis growth trajectory (Cerra and Saxena 2008). This type of recession typically leads to a permanent reduction in an economy’s productive capacity and income level. The second model of recession, conceptualised in modern economic discourse by Milton Friedman (Friedman 1964, 1993), assumes dynamics known as a Friedman-like recession akin to the response of a stretched guitar string. The further the economy is pushed downward, the more forcefully it rebounds.
Productive capacity remains largely intact and the economy does not suffer a permanent loss of income. The supply side remains resilient, in contrast to the Hamiltonian scenario. Countercyclical monetary and fiscal policies may yield very different results in the two models.
To identify economic recessions and recovery, we use the Bry–Boschan algorithm. It automates the cycle-dating procedure in line with the NBER tradition (Bry and Boschan 1971). Using the Bry–Boschan algorithm, we identify 419 recessions in our sample of 101 countries over the period 1990-2022. We found that 59 recoveries occurred in 2009 (i.e. the GFC) and 94 occurred in 2020 (i.e. the COVID-19 crisis). Notably, the number of recessions during the COVID-19 crisis is twice as high as during the GFC, illustrating the significant impact of the pandemic. Although many emerging market economies (EMEs) experienced financial crises in the late 1990s and early 2000s, the number of recessions was not as high, suggesting that the crises in emerging market economies were regionally contained.
Figures 1 and 2 illustrate the different recovery patterns between industrial economies in Figure 1 and EMEs (Figure 2) in the context of comparing the recovery from the GFC and COVID-19 crises.
In Figure 1, the GFC seems to have had a longer lasting impact on this group, with recovery mostly sluggish. For instance, Switzerland and Canada only managed to reach their pre-crisis real output level in the first quarter of 2010. Meanwhile, the peripheral euro-area countries were subsequently hit hard by the euro crisis. In contrast, the impact of COVID-19 was much bigger than that of the GFC, with Japan and Spain suffering real GDP losses of 20%. However, the recovery was also much faster and stronger than during the GFC – the downturn lasted less than two quarters in most cases. For instance, the US and Switzerland managed to recover their pre-crisis real output in the second quarter of 2020. Once again, the recovery was more sluggish for peripheral euro area countries.
Figure 1 Comparing two recoveries: The GFC versus COVID-19 in industrialised economies
In Figure 2, we compare the two recoveries for a selective group of EMEs. In the left panels, we observe that recoveries after the GFC were faster and stronger in EMEs than in IDCs. Since GFC primarily affected the financial systems and real economies of financially well-developed advanced economies. In the left panel of Figure 2, we observe that the post-COVID-19 recovery pattern was similar for the broader group of EMEs and IDCs.
Figure 2 Comparing two recoveries: The GFC versus COVID-19 in emerging market economies
Regression results
We investigate the determinants of the variables related to recessions and recovery. Candidate variables include macroeconomic and institutional variables that are observed at the annual frequency. In addition to the macroeconomic variables identified as important in Eichengreen et al. (2024), we include institutional variables, based on the principal components (PCs) of political risk ratings in the ICRG database. The first PC is legal development, based on the ratings for bureaucratic quality, anti-corruption measures, and the respect of ‘law and order’. The second PC is a political stability index based on ICRG ratings for government stability, the lack of military in politics, and the lack of external and internal conflicts, religious tensions, and ethnic tensions. We also include aggregate trade restrictions (Estefania-Flores et al. 2024). With the return of trade tensions and restrictions at the global level since 2018 (Bown and Kolb 2022), we expect that trade restrictions may influence the extent of the recoveries after the most recent recession episodes.
First, we use panel logit models to estimate the probability of an economy entering a recession.
We find that higher government debt level or budget deficit, excessive credit creation, fuel importers, and greater exchange rate market pressures would lead to a higher probability of a recession.
The estimation results of the depth of recession suggest that tighter trade restrictions are associated with shallower recessions during the GFC and among industrialised countries. One possible explanation is that trade restrictions may help mitigate the impacts of external shocks and help stabilise the economy.
Given the heterogeneity of our sample economies, we obtain insightful results when we apply a panel logit estimation augmented with interaction terms. Worsening fiscal space (i.e. a higher budget deficit or government debt), being a major fuel importer, and excessive bank credit availability are associated with a higher likelihood of recession, while a higher level of political stability can help reduce the probability of a recession. When the level of political stability is sufficiently high, holding a higher amount of international reserves as a percentage of GDP reduces the probability of recession.
Higher levels of international reserve holdings reduce the probability of a recession, but only for low levels of trade restrictions (i.e. freer trade). This result echoes the finding of Aizenman et al. (2023) on the complementarity between the holding of international reserves and capital account restrictions in the context of terms-of-trade shocks. The buffer effect of international reserves is only observed when the economy is sufficiently open to trade. When the level of trade restriction is too high, the holding of international reserves is no longer associated with a reduction of the probability of a recession. When trade restrictions are too high, the buffer effect of macroeconomic variables disappears.
Next, we examine whether Hamilton’s model or Friedman’s model better depicts the recovery path in the aftermath of a recession. The results suggest that in a stable political environment, recessions during which GDP decreases by an additional 1% induce a stronger output recovery of around 0.9% after four quarters, and the length of the recession has no significant effects on the extent of the recovery four quarters later. When the number of trade restrictions is very low, recessions during which GDP decreases by an additional 1% induce a stronger output recovery of around 0.8% after four quarters, and the length of the recession has no significant effects on the extent of the recovery four quarters later.
This can be explained by the buffer effect of international reserves holding explored in Aizenman and Riera-Crichton (2008). For the whole sample, we find that deeper recessions are followed by stronger recoveries, in line with Friedman’s ‘plucking model’ of the business cycle. However, the impact becomes weaker if institutional development is limited and trade restrictions are tight. We show that recessions with political instability or trade tensions differ sharply from those without, which is highly relevant to the current global climate of heightened trade tensions and geopolitical uncertainty.
Summary
We analyse a large sample of industrialised and emerging countries between 1990 and 2022, a period of unprecedented trade and financial globalisation. We perform an in-depth analysis of the drivers of different patterns of recessions and recoveries, with a focus on the impact of political stability and institutional development. In addition, we empirically explore the role of trade restrictions in economic recovery. We also empirically test the validity of Friedman’s plucking model of the business cycle (Friedman, 1964, 1993). Notably, we provide global empirical evidence that Friedman’s plucking model is less relevant in describing an economy’s recovery path in the presence of political instability, weak institutions, and extensive trade restrictions.
Relative to industrial economies, EMEs tend to have weaker institutions and more restrictive trade barriers. Our empirical findings suggest that when policymakers seek to mitigate global shocks through countercyclical monetary or fiscal policy, these are more effective when the economy benefits from more political stability and fewer trade restrictions.
References
Aizenman, J, S H Ho, L D T Huynh, J Saadaoui and G S Uddin (2023), “Real exchange rate and international reserves in the era of financial integration”, VoxEU.org, 6 November.
Aizenman, J, H Ito, D Park, J Saadaoui and G S Uddin (2025), “Global Shocks, Institutional Development, and Trade Restrictions: What Can We Learn from Crises and Recoveries Between 1990 and 2022?”, NBER Working Paper No 33757.
Aizenman, J and D Riera-Crichton (2008), “Real exchange rate and international reserves in an era of growing financial and trade integration”, The Review of Economics and Statistics 90(4): 812-815.
Bown, C P and M Kolb (2022), “Trump’s trade war timeline: An up-to-date guide”, PIIE blog.
Bry, G and C Boschan (1971), “Programmed selection of cyclical turning points”, in Cyclical analysis of time series: Selected procedures and computer programs, NBER.
Cerra, V, A Fatás and S C Saxena (2020), “The persistence of a COVID-induced global recession”, VoxEU.org, 14 May.
Cerra, V and S C Saxena (2008), “Growth dynamics: the myth of economic recovery”, American Economic Review 98(1): 439-457.
Diebold, F X (2020), “Real-time real economic activity: Exiting the great recession and entering the pandemic recession”, NBER Working Paper No. 27482.
Dominguez, K M (2010), “International reserves and underdeveloped capital markets”, in NBER International Seminar on Macroeconomics, Vol. 6, No. 1, pp. 193-221.
Eichengreen, B, D Park and K Shin (2024), “Economic resilience: Why some countries recover more robustly than others from shocks”, Economic Modelling 136, 106748.
Estefania-Flores, J, D Furceri, S A Hannan, J D Ostry and A K Rose (2024), “A measurement of aggregate trade restrictions and their economic effects”, The World Bank Economic Review, lhae033.
Fatás, A (2019), “The 2020 (US) recession”, VoxEU.org, 14 March.
Fatás, A (2021), “The short-lived high-pressure economy”, VoxEU.org, 27 October.
Friedman, M (1964), “Monetary studies of the National Bureau”, The National Bureau Enters Its 45th Year 44: 7-25.
Friedman, M (1993), “The ‘plucking model’ of business fluctuations revisited”, Economic Inquiry 31(2): 171-177.
Hamilton, J D (1989), “A new approach to the economic analysis of nonstationary time series and the business cycle”, Econometrica: Journal of the Econometric Society, 357-384.
Kohlscheen, E, R Moessner and D M Rees (2024), “The shape of business cycles: A cross‐country analysis of Friedman’s plucking theory”, Kyklos 77(2): 351-370.
Fashion giant Zara published “socially irresponsible” photos of models who appeared to be unhealthily thin, the advertising watchdog has ruled.
The two product listings on the Zara website in May featured an image of a model wearing an oversize pocket shirt and another of a model wearing a voluminous combined short dress.
The Advertising Standards Authority (ASA) received one complaint that the ads were irresponsible because the models appeared to be unhealthily thin.
Zara said the models had worked for well-known and reputable fashion brands and confirmed that both models had medical certification which proved they were in good health.
They said that none of the images had been modified, beyond very minor lighting and colouring edits.
Zara confirmed that it had amended the product listings after receiving the complaint and removed the specific images.
The ASA said the low-cut design of the shirt in the first ad drew attention to the model’s upper chest area, creating a focal point around her collarbone, which was protruding.
Zara’s ad was banned by the ASA (ASA/PA)
In addition, the positioning of her arms, while wearing a baggy shirt, created the impression that her arms, shoulders and chest were very slim.
The ASA said: “Overall, we considered that the pose of the model and the choice of clothing in the ad created the impression that the model was unhealthily thin.”
The watchdog said the styling and lighting of the second image and the choice of clothing meant the ad created the impression that the model was unhealthily thin.
The ASA criticised the Zara ad (ASA/PA)
The ASA said: “For the above reasons, we concluded that the models… appeared unhealthily thin and that the ads were irresponsible.”
A Zara UK spokesman said: “We note the ASA’s decision following an individual complaint regarding two images on our website which we removed when the ASA made us aware.
“We are committed to responsible content and follow stringent guidelines and controls in the selection and photographing of models, as well as in the selection of images.”
The association also claims the governance of snooker “should factor in more of the views of the players”.
It has vowed to foster a “collaborative relationship” with the sport’s authorities, including the World Professional Billiards and Snooker Association (WPBSA), the existing WPBSA Players’ Board, and World Snooker Tour “to enhance the sport’s future, while safeguarding player welfare and commercial interests”.
The PSPA says it has established a players board comprising of Judd Trump, Kyren Wilson, Mark Selby, Barry Hawkins, Shaun Murphy, Ali Carter, Gary Wilson, Stuart Bingham, Jack Lisowski, Stephen Maguire, Mark Allen, Ryan Day and Joe Perry. Another player – Matthew Selt – has been appointed a director, alongside lawyers Ben Rees and Mark Kenkre.
The association also claims that seven-time world champion Ronnie O’Sullivan has agreed to become a member, along with Chinese stars Ding Junhui and Xiao Guodong.
“I’ve had lots of discussions with Ronnie” said Higgins. “He’s really excited about it, so it’s full steam ahead.”
The fact so many of the top players are behind the new body suggests some feel they do not have enough say in the running of the World Snooker Tour (WST), particularly the commercial side.
During the 2024 World Championship, the headlines at the Crucible were dominated by talk of a potential breakaway tour. This came after the game’s top players were approached to play in lucrative events in China and North America as part of a potential breakaway circuit.
Professional players sign a contract which does not allow them to compete in any outside events while WST tournaments are being played, unless they are events sanctioned by the WST, although players have recently negotiated more flexibility.
However, the WST has been increasing the amount of prize money in the game, and is preparing to stage the sport’s “fourth major” in Saudi Arabia with a prize pot of more than £2m. The second Saudi Arabia Snooker Masters will take place later this week in Jeddah.
The WPBSA’s own players’ body was formed in 2020, and the governing body says it has “a specific mandate to act in the collective best interest of members in relation to welfare and issues affecting the professional game.”
It says that it “acts as a channel for member concerns and provides a platform whereby issues surrounding their wellbeing can be raised at the highest levels by the WPBSA Players Board.”
The PSPA says it has been formed with expert guidance from leading sports law professionals, and that its key objectives include legal and commercial support to protect players’ rights in sponsorship, broadcasting, and contractual matters.
Unit 42 observed notable overlaps between Microsoft’s reporting on ToolShell activity (an exploit chain affecting SharePoint vulnerabilities) and activity that we have been separately tracking. The activity, which we track as CL-CRI-1040, caught our attention by deploying a tool set that we call Project AK47, which includes a backdoor, ransomware and loaders.
Microsoft’s report named a suspected China-based threat actor, Storm-2603. Based on our analysis of host- and network-based artifacts, we assess with high confidence that Storm-2603 is related to the activity cluster that we track as CL-CRI-1040. We initially noted this in our threat brief covering exploitation of recent SharePoint vulnerabilities, and here further expand on our observations. (See Table 1 in the body of this article for clarification of the connection.)
Our key findings are:
CL-CRI-1040 is a cluster of financially motivated activity involving the ToolShell exploit chain
CL-CRI-1040 involves a custom tool set called Project AK47
Project AK47 includes:
A backdoor nicknamed AK47C2 that supports multiple protocols
Ransomware nicknamed AK47/X2ANYLOCK
Loaders abusing DLL side-loading
CL-CRI-1040 was formerly identified as activity from a LockBit 3.0 affiliate and has recently been linked to a double-extortion site operating under the name Warlock Client
This threat research article includes both findings we can confidently attribute to CL-CRI-1040 and observations that remain at lower levels of certainty.
Palo Alto Networks customers are better protected from the threats discussed in this article through:
For more information about protection against the ToolShell exploit chain, please see our threat brief on active exploitation of recent SharePoint vulnerabilities.
If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
CL-CRI-1040
CL-CRI-1040 has been active since at least March 2025. Based on overlaps in host- and network-based artifacts from the Microsoft report, we have high confidence that the CL-CRI-1040 activity cluster represents the same threat actor nicknamed Storm-2603, that Microsoft observed exploiting recent vulnerabilities in SharePoint through the ToolShell exploit chain. The recent SharePoint vulnerabilities are designated CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771.
Microsoft assessed Storm-2603 as a China-based threat actor, as of late July, but we do not have enough direct evidence to confidently attribute CL-CRI-1040 to any nation-state or cybercriminal entity. Prior to the SharePoint ToolShell exploitation campaign, however, we had already observed malicious activity from this cluster using a tool set we call Project AK47.
We have also observed in CL-CRI-1040 deployment of an IIS backdoor that a Chinese-speaking community commonly misuses, which might be a potential connection to the Chinese nexus.
Retrospective investigation of CL-CRI-1040 revealed several pieces of evidence to support our assessment of this activity cluster as financially motivated. We confirmed that CL-CRI-1040 was formerly associated with a LockBit 3.0-affiliate and has recently been operating a double-extortion data leak site known as Warlock Client Leaked Data Show. However, considering that CL-CRI-1040 activity appeared alongside espionage-motivated actors in Microsoft’s report, we cannot entirely rule out the possibility of nation-state motivation or cooperation between threat actors.
While we further describe the connections throughout this article, Figure 1 below illustrates an overview of the overlaps between Storm-2603 and CL-CRI-1040. Table 1 details how this discussion relates to the Microsoft report.
Figure 1. An overview of indicators of compromise (IoC) overlaps between Storm-2603 and CL-CRI-1040.
Research Origin
Cluster/Group
Activity
Tools
Significance
Unit 42
CL-CRI-1040
Financially motivated activity involving the ToolShell exploit chain
Project AK47: backdoor, ransomware, loaders
Based on our analysis of host and network-based artifacts, we assess with high confidence that Storm-2603 is identical to the activity cluster that we track as CL-CRI-1040.
Microsoft
Storm-2603
Exploiting SharePoint vulnerabilities to deploy ransomware
Microsoft “has observed this threat actor deploying Warlock and Lockbit ransomware in the past”
Table 1. Microsoft’s report covers the activity of several threat actors. In this article, we detail our observations of CL-CRI-1040, which we assess with high confidence represents the activity of the same threat actor as Storm-2603.
Project AK47
Project AK47 is a collection of malware used in CL-CRI-1040 that has likely been under development since at least March 2025. Project AK47 consists of several sub-projects, including the following:
A multi-protocol supporting backdoor named AK47C2
Custom ransomware named AK47 ransomware (also known as X2ANYLOCK)
A set of other supporting tools
We named this tool set based on its common PDB (Program Database) filepath names, as shown below in Figure 2.
Figure 2. Examples of PDB filepaths of Project AK47.
According to the PDB filepath, Project AK47 can be divided into two main sub-projects:
AK47C2
This sub-project contains tools named dnsclient and httpclient
AK47
This sub-project contains tools named writenull, encrypt, 7zdllhijacked and dll_hijacked, shown in Figure 3 below
Figure 3. The structure of Project AK47.
AK47C2
AK47C2 is designed as a multi-protocol supporting backdoor. The protocols supported include DNS and HTTP, referred to as dnsclient and httpclient respectively, based on their PDBs. These two backdoor instances share the following functionality:
Commands
Command and control (C2) communication request and response format
Encryption algorithm
XOR key
The capability of these backdoors is straightforward, supporting the following features:
Setting sleep duration
Executing an arbitrary command
According to IoCs shared by Microsoft, attackers deployed both the dnsclient and httpclient components of AK47C2 as payloads for the ToolShell exploits.
Dnsclient
The dnsclient has been under development since at least early March 2025. The current variant uses DNS to communicate with the C2 server, as its PDB name indicates.
The method of C2 communication varies depending on the date of the sample. An early stage of dnsclient that we have called version 202503 was packed using UPX. Version 202503 was likely a test build because it contains several verbose error messages and uses a private IP address as its DNS server, as noted in the code snippet shown below in Figure 4.
Figure 4. Code snippet from version 2025-03 of dnsclient showing a private IP address of 10.7.66[.]10 as its DNS server.
Version 202503 of dnsclient communicates with the C2 server by XOR-encoding JSON data, converting it into a hexadecimal string and then sending it as a subdomain of the hard-coded server at update.updatemicfosoft[.]com. The XOR key (VHBD@H) is hard-coded in the binary and is shared among other AK47C2 samples.
Figure 5 below illustrates the encoding algorithm to generate subdomains on the initial C2 check-in to receive a backdoor command.
Figure 5. The encoding algorithm of the dnsclient version 202503.
The response of the C2 server is contained in a DNS TXT record encoded by the same algorithm. The decoded response uses the following format in JSON:
Version 202503 of dnsclient supports multiple arbitrary command execution but does not support sleep duration management. The command execution result is sent in the following JSON format encoded with the same algorithm:
However, this implementation might generate a subdomain longer than the maximum length of a DNS query (255 bytes). To avoid this, dnsclient fragments the request data and sends it in multiple queries. It prepends s to the domain name in the DNS query to indicate the query represents fragmented data.
In early April 2025, the developer updated the protocol of the dnsclient to simplify and support more reliability, which we have named version 202504. In this version, the initial request to receive a backdoor command during C2 check-in generates a slightly different DNS subdomain, as shown below in Figure 6. The notable changes are that it doesn’t use JSON anymore and prepends 1 to a random five-character session key to tell the C2 server that it is a task request.
Figure 6. The encoding algorithm of dnsclient version 202504.
The TXT record in the DNS response is also encoded by the same algorithm, but the decoded data differs from the version 202503 of dnsclient as follows:
<COMMAND_TO_EXECUTE>::<SESSION_KEY>
Version 202504 of dnsclient verifies the session key on the client side and performs a backdoor routine based on the received command. On the response request, similar to version 202503, version 202504 fragments the execution results if the encoded data is too long and prepends s to the random session key. To finalize the message, it prepends 2 to the first substring session key and a to the second substring session key.
Httpclient
The httpclient has been under development since at least late March 2025 and supports HTTP communication with the C2 server, as its PDB name indicates.
The encoding algorithm and XOR key are the same ones used in dnsclient version 202503, because httpclient also uses JSON to send and receive messages. The original message of the C2 check-in appears as follows:
The encoded hexadecimal string is stored in the HTTP body and sent to the C2 server using the POST method. The httpclient uses curl for network communication, as noted in the curl options (CURLOPT) shown in the code snippet in Figure 7 below.
Figure 7. Code snippet of httpclient indicating the use of curl to communicate over HTTP.
AK47 Ransomware (Aka X2ANYLOCK Ransomware)
While analyzing AK47C2, we found an interesting PDB, indicating possible ransomware as a sub-project of Project AK47:
The use of encrypt in the PDB filepath name was not a coincidence, and our investigation revealed a ransomware written in C++ that we dubbed AK47 ransomware. However, due to the .x2anylock file extension added to encrypted files, this malware is publicly referred to as X2ANYLOCK ransomware. Although we found several reports of victims and auto-generated pages related to this ransomware, at the time of writing we had seen no technical analysis on AK47/X2ANYLOCK ransomware.
The earliest version of AK47 ransomware was observed in early April 2025, which has a slightly different PDB, using writenull instead of encrypt in the file path name:
This PDB didn’t implement file encryption capability, but only implemented ransom note creation. The associated sample was likely a prototype of AK47 ransomware.
Based on its compilation time, a sample of the fully implemented AK47 ransomware might have been compiled a few days after the likely prototype. The capabilities of this ransomware are typical of other ransomware families. AK47 ransomware can perform the following actions:
Terminating several applications
Enumerating all possible logical drives and network shares
Encrypting specific types of files using a combination of AES and RSA, while excluding specified directories and files
Dropping ransom notes (How to decrypt my data.txt or How to decrypt my data.log)
To potentially evade detection, the ransomware checks the Data Modified timestamp of specific objects. If the timestamp is on or after June 6, 2026, the ransomware terminates itself, as the code snippet in Figure 8 below shows.
Figure 8. Code snippet of AK47 ransomware showing the timestamp check routine.
The ransom note is embedded in the AK47 ransomware binary without encryption or encoding. Figure 9 below shows an example of the ransom note. The decrypt ID differs with each binary, but the Tox ID to communicate with the threat actor is the same across all AK47 ransomware variants.
Figure 9. Example of a ransom note generated by AK47 ransomware.
Is This Warlock Ransomware?
According to the Microsoft report, Storm-2603 has previously deployed ransomware named Warlock. However, since we have not found any common indicators between AK47/X2ANYLOCK ransomware from CL-CRI-1040 and Warlock ransomware from Microsoft’s article, we cannot conclusively determine the relationship between these two ransomware families.
Loaders
In addition to the AK47C2 backdoor and AK47/X2ANYLOCK ransomware, we found other sub-projects that support executing the payload via DLL side-loading, as the following PDB shows.
These loaders are designed to be loaded via a legitimate executable (7z.exe in this case) and invoke the entrypoint of the AK47 ransomware DLL, as shown below in Figure 10.
Figure 10. Entrypoint of AK47 ransomware.
Other Tools
During our investigation, we encountered a RAR archive named Evidencia.rar containing the following:
A copy of the AK47C2 dnsclient
AK47 ransomware
Several hacking tools
While the source is unknown, the directory structure (Evidencia.rarDirectorio_Public) and included files indicate this RAR archive is possibly a package of the Public directory from a victim machine. If so, the hacking tools in this archive may be part of the arsenal for CL-CRI-1040. Table 2 below shows notable files from Evidencia.rar.
Table 2. Notable files from the Evidencia.rar archive.
Of note, the LockBit 3.0 ransomware files in Table 2 are important evidence for our attribution.
Retrospective Investigation
Our investigation of CL-CRI-1040 attacks revealed evidence of previous ransomware activities, including LockBit 3.0 and Warlock Client ransomware. This evidence led us to assess with high confidence that CL-CRI-1040 is financially motivated. Figure 11 provides an overview of the activities we’ve attributed to CL-CRI-1040.
Figure 11. An overview of the activities we attribute to CL-CRI-1040.
Alleged LockBit 3.0 Affiliate
During our investigation on the Tox ID (3DCE1C43491FC92EA7010322040B254FDD2731001C2DDC2B9E819F0C946BDC3CD251FA3B694A) from the AK47 ransomware note, we discovered a database dump file associated with LockBit 3.0 ransomware.
In May 2025, an unknown actor compromised LockBit 3.0 infrastructure and leaked a database dump of the ransomware’s operations. This leaked dump file contains:
Negotiation messages
Bitcoin wallet addresses
Affiliated user information
Operational details
In this LockBit 3.0 dump file a username wlteaml has the same Tox ID as used in the AK47 ransomware note. The username wlteaml was registered as a LockBit 3.0 user on April 22, 2025, as shown in Figure 12.
Figure 12. Same Tox ID in the LockBit dumped database.
The database indicates that the wlteaml is the last user registered as a LockBit 3.0 affiliate before the data leak. We believe the letters in the username wlteaml might stand for warlock team LockBit and indicate a tie to Warlock Client ransomware.
Let’s revisit the LockBit 3.0 ransomware files contained in the above-mentioned RAR archive (Evidencia.rar).
Bbb.msi is a malicious installer that works as a dropper of LockBit 3.0 ransomware loader. This MSI file drops two components:
clink_x86.exe – This is a legitimate application misused to sideload the latter malicious DLL.
clink_dll_x86.dll – This DLL is completely different from any other sub-projects of Project AK47. It performs several known anti-analysis and anti-debugging techniques, decrypts a shellcode and runs it within a legitimate DLL (d3dl1.dll) by using the DLL hollowing technique.
The final payload executed by the in-memory shellcode is explicitly LockBit 3.0. Figure 13 shows the disassembled code of a unique entrypoint from the Lockbit 3.0 ransomware sample. This code invokes ransomware behavior, associated functions and meaningless Windows API calls, as an analysis report on LockBit 3.0 previously described.
Figure 13. Disassembled code snippet from the LockBit 3.0 ransomware sample entrypoint.
The timeline for this sample is unusual, because the first submission date of this sample to VirusTotal was April 16, 2025, but the associated wlteaml user registration on the LockBit 3.0 portal was April 22, 2025. While we cannot yet explain this timeline gap, the inclusion of the LockBit 3.0 instance in the same archive as Project AK47 components does not seem to be a mere coincidence.
Warlock Client Leaked Data Show
The AK47 ransomware Tox ID shows another link to the Warlock ransomware group, which emerged in June 2025. The ransomware’s leak site on the dark web is named Warlock Client Leaked Data Show, and it displays the same Tox ID as AK47 ransomware for negotiation with its victims.
While the website is inaccessible as of late July, we confirmed the same Tox ID from a publicly available screenshot. However, we haven’t yet observed any actual ransomware used by the threat actor behind this leak site. Therefore, we lack any evidence to determine whether the AK47 ransomware has been used by the Warlock ransomware group.
On the other hand, Microsoft mentioned that Storm-2603 has previously deployed Warlock ransomware. However, since the report shares no indicators of Warlock ransomware binaries, we cannot confirm if the Warlock mentioned by Microsoft is identical to that used by the Warlock Client Leaked Data Show.
Conclusion
Our analysis reveals overlaps between recent ToolShell exploit activity and the activity of a cluster that we track as CL-CRI-1040. This article also covers the Project AK47 tool set in detail and describes the considerations behind our attribution. This information reveals a continuously evolving threat and a complex situation behind the attacks.
Palo Alto Networks Protection and Mitigation
Palo Alto Networks customers are better protected from the threats discussed above through the following products:
TheAdvanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.
Cortex XDR and XSIAM combine several layers of protection to prevent both known and unknown malware from causing harm to endpoints, including those mentioned in this article.
For more information about protection against the ToolShell exploit chain, please see our threat brief on active exploitation of recent SharePoint vulnerabilities.
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 00080005045107
Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
The Charity Commission has criticised Prince Harry for allowing a row with the chair of his African charity to “play out publicly”, as the watchdog cleared him of racism.
The prince was engaged in a public war of words earlier this year with the chair of the Sentebale charity, Dr Sophie Chandauka, after his resignation as a patron.
Harry and the co-founder, Prince Seeiso of Lesotho, stepped down in March and its trustees quit over a dispute with Chandauka, a lawyer appointed in 2023.
After Harry’s resignation was made public, Chandauka said she had been subjected to people who “play the victim card”.
She had said that it was a “story of a woman who dared to blow the whistle about issues of poor governance, weak executive management, abuse of power, bullying, harassment, misogyny, misogynoir [discrimination against black women] – and the cover-up that ensued”.
In a ruling on Tuesday in a compliance case into Sentebale, which works with children and young people in southern Africa, the regulator criticised all those involved in the dispute for “allowing it to play out publicly”. It said the then trustees’ failure to resolve disputes internally had “severely impacted the charity’s reputation and risked undermining public trust in charities more generally”.
David Holdsworth, the chief executive of the Charity Commission, said: “Sentebale’s problems played out in the public eye, enabling a damaging dispute to harm the charity’s reputation, risk[ing] overshadowing its many achievements, and jeopardising the charity’s ability to deliver for the very beneficiaries it was created to serve.
“This case highlights what can happen when there are gaps in governance and policies critical to charities’ ability to deliver for their cause. As a result, we have issued the charity a Regulatory Action Plan to make needed improvements and rectify findings of mismanagement.”
In response to the report, a spokesperson for Harry, who was not a trustee and established the charity in memory of his mother, Diana, Princess of Wales, criticised the commission, claiming its report had fallen “troublingly short”.
The commission found that a serious dispute between Chandauka and Harry had followed the formulation of a new fundraising strategy in the US. The breakdown in the relationship had been raised with the commission in February but an investigation was only opened in April after an analysis.
The commission did not find evidence of widespread or systemic bullying or harassment, including misogyny or misogynoir, it said, but acknowledged “the strong perception of ill treatment felt by a number of parties to the dispute and the impact this may have had on them personally”.
It further found no evidence of “‘overreach’ by either the chair or the Duke of Sussex as patron” but the commission was “critical of the charity’s lack of clarity in delegations to the chair which allowed for misunderstandings to occur”.
It said: “The commission’s assessment of the various accounts that have been provided is that all the charity’s then trustees contributed to a missed opportunity to resolve issues which led to the dispute.
“The regulator observed that strategic and financial difficulties that had emerged for the charity following the Covid-19 pandemic contributed to the tensions that arose.”
A spokesperson for the Duke of Sussex said: “Unsurprisingly, the commission makes no findings of wrongdoing in relation to Sentebale’s co-founder and former patron, Prince Harry, Duke of Sussex.
“They also found no evidence of widespread bullying, harassment or misogyny and misogynoir at the charity, as falsely claimed by the current chair.
“Despite all that, their report falls troublingly short in many regards, primarily the fact that the consequences of the current chair’s actions will not be borne by her – but by the children who rely on Sentebale’s support.
“Sentebale has been a deeply personal and transformative mission for Prince Harry, established to serve some of the most vulnerable children in Lesotho and Botswana.”
A spokesperson for Sentebale said they were pleased with the action plan offered by the commission, which would allow it to “move forward … free from interference”.
Chandauka said: “The unexpected adverse media campaign that was launched by those who resigned on 24 March 2025 has caused incalculable damage and offers a glimpse of the unacceptable behaviours displayed in private.
“We are emerging not just grateful to have survived, but stronger: more focused, better governed, boldly ambitious and with our dignity intact.
“Despite the recent turbulence, we will always be inspired by the vision of our founders, Prince Harry and Prince Seeiso, who established Sentebale in memory of their precious mothers, Princess Diana and Queen ‘Mamohato.”
More than two years after ending pandemic emergency procedures, China has revived some Covid-era health controls in the southern Guangdong province to prevent the spread of a painful mosquito-borne viral disease.
Recording the identities of people buying commonly used medicines, reinstating mass testing, requiring travel history reports and undertaking community-level disinfection are among measures put in place to check chikungunya, after a city in the industrial hub reported a rare but massive outbreak of the virus this summer.
BEIJING, Aug. 5 — China has allocated disaster relief funds totaling 1.015 billion yuan (about 142 million U.S. dollars) to multiple provincial-level regions, the Ministry of Finance (MOF) said on Tuesday.
The funds were allocated by the MOF, the Ministry of Agriculture and Rural Affairs, and the Ministry of Water Resources.
Funds were channeled in multiple forms to support flood relief efforts in regions such as Beijing, Hebei, Inner Mongolia and Guangdong, including subsidies for crop replanting and the repair of agricultural facilities.
Funds were also used to aid drought relief efforts in Shandong, Henan, Hubei and other regions through the provision of subsidies targeting fertilization, seedling preservation, irrigation and well drilling.
Zara
Zara
