Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks - The Hacker News

Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks Ravie LakshmananOct 11, 2025Network Security / Vulnerability Threat actors are abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks likely orchestrated by Storm-2603 (aka CL-CRI-1040 or Gold Salem), which is known for deploying the Warlock and LockBit ransomware. The threat actor's use of the security utility was documented by Sophos last month. It's assessed that the attackers weaponized the on-premises SharePoint vulnerabilities known as ToolShell to obtain initial access and deliver an outdated version of Velociraptor (version 0.73.4.0) that's susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover, per Cisco Talos. In the attack in mid-August 2025, the threat actors are said to have made attempts to escalate privileges by creating domain admin accounts and moving laterally within the compromised environment, as well as leveraging the access to run tools like Smbexec to remotely launch programs using the SMB protocol. Prior to data exfiltration and dropping Warlock, LockBit, and Babuk, the adversary has been found to modify Active Directory (AD) Group Policy Objects (GPOs), turn off real-time protection to tamper with system defenses, and evade detection. The findings mark the first time Storm-2603 has been linked to the deployment of Babuk ransomware. Rapid7, which maintains Velociraptor after acquiring it in 2021, previously told The Hacker News that it's aware of the misuse of the tool, and that it can also be abused when in the wrong hands, just like other security and administrative tools. "This behavior reflects a misuse pattern rather than a software flaw: adversaries simply repurpose legitimate collection and orchestration capabilities," Christiaan Beek, Rapid7's senior director of threat analytics, said in response to the latest reported attacks. According to Halcyon, Storm-2603 is believed to share some connections to Chinese nation-state actors owing to its early access to the ToolShell exploit and the emergence of new samples that exhibit professional-grade development practices consistent with sophisticated hacking groups. The ransomware crew, which first emerged in June 2025, has since used LockBit as both an operational tool and a development foundation. It's worth noting that Warlock was the final affiliate registered with the LockBit scheme under the name "wlteaml" before LockBit suffered a data leak a month before. "Warlock planned from the beginning to deploy multiple ransomware families to confuse attribution, evade detection, and accelerate impact," the company said. "Warlock demonstrates the discipline, resources, and access characteristic of nation-state–aligned threat actors, not opportunistic ransomware crews." Halcyon also pointed out the threat actor's 48-hour development cycles for feature additions, reflective of structured team workflows. This centralized, organized project structure suggests a team with dedicated infrastructure and tooling, it added. Other notable aspects that suggest ties to Chinese state-sponsored actors include - Use of operational security (OPSEC) measures, such as stripped timestamps and intentionally corrupted expiration mechanisms The compilation of ransomware payloads at 22:58-22:59 China Standard Time and packaging them into a malicious installer at 01:55 the next morning Consistent contact information and shared, misspelled domains across Warlock, LockBit, and Babuk deployments, suggesting cohesive command-and-control (C2) operations and not opportunistic infrastructure reuse A deeper examination of Storm-2603's development timeline has uncovered that the threat actor established the infrastructure for AK47 C2 framework in March 2025, and then created the first prototype of the tool the next month. In April, it also pivoted from LockBit-only deployment to dual LockBit/Warlock deployment within a span of 48 hours. While it subsequently registered as a LockBit affiliate, work continued on its own ransomware until it was formally launched under the Warlock branding in June. Weeks later, the threat actor was observed leveraging the ToolShell exploit as a zero-day while also deploying Babuk ransomware starting July 21, 2025. "The group's rapid evolution in April from the LockBit 3.0-only deployment to a multi-ransomware deployment 48 hours later, followed by Babuk deployment in July, shows operational flexibility, detection evasion capabilities, attribution confusion tactics, and sophisticated builder expertise using leaked and open-source ransomware frameworks," Halcyon said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, data breach, digital forensics, Incident response, malware analysis, network security, ransomware, Threat Intelligence, Vulnerability Trending News Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Load More ▼ Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Fix Security Noise by Focusing Only on Validated Exposures Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools