Hackers Exploit Velociraptor DFIR Tool in Ransomware Attacks
Cybercriminals have been found exploiting Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in ransomware attacks associated with Storm-2603. This threat actor is known for using the Warlock and LockBit ransomware variants.
Recent research by Sophos revealed that the attackers manipulated Velociraptor, leveraging a privilege escalation vulnerability (CVE-2025-6264) in an outdated version of the tool (version 0.73.4.0). By exploiting on-premises SharePoint vulnerabilities, specifically ToolShell, the threat actors gained initial access and executed arbitrary commands, leading to endpoint compromise, according to Cisco Talos.
During an attack in August 2025, the threat actors attempted to elevate privileges by creating domain admin accounts, moving laterally within the compromised network, and using tools like Smbexec to remotely execute programs via the SMB protocol.
Prior to deploying ransomware such as Warlock, LockBit, and Babuk, the attackers modified Active Directory Group Policy Objects (GPOs), disabled real-time protection to bypass security measures, and evaded detection. Notably, this incident marks the first time Storm-2603 has been associated with distributing Babuk ransomware.
Rapid7, the current maintainer of Velociraptor following its acquisition in 2021, acknowledged the misuse of the tool. According to Christiaan Beek, Rapid7’s senior director of threat analytics, adversaries often repurpose legitimate tools for malicious activities, emphasizing a pattern of misuse rather than a software vulnerability.
Halcyon’s analysis suggests that Storm-2603 may have ties to Chinese state-sponsored actors based on its early access to exploits, professional development practices, and operational tactics. The ransomware crew, which emerged in June 2025, has utilized LockBit as both an operational tool and a foundation for further development.
Notably, Warlock, the latest addition to the LockBit scheme before a data breach occurred, has been strategically designed to confuse attribution, evade detection, and maximize impact. Halcyon’s findings also highlight the threat actor’s structured team workflows, rapid development cycles, and centralized infrastructure, indicating a sophisticated and well-resourced group.
Additional indicators of Storm-2603’s affiliation with Chinese state-sponsored actors include strict operational security measures, specific timing of ransomware payload compilation, and consistent contact information across deployments. These factors suggest a cohesive command-and-control structure and professional-grade operations.
Further investigation into Storm-2603’s development timeline reveals a rapid evolution in operational tactics, including the establishment of AK47 C2 framework infrastructure and the transition to dual LockBit/Warlock deployment within 48 hours. The group’s agility, detection evasion capabilities, and sophisticated builder expertise indicate a high level of operational sophistication.
As Storm-2603 continues to evolve and expand its ransomware operations, the cybersecurity community remains vigilant in monitoring its activities and implementing appropriate defense measures to mitigate the impact of such attacks.
