Velociraptor DFIR Tool is used as a Weapon by Hackers in LockBit Ransomware Attacks
Velociraptor DFIR Tool is used as a Weapon by Hackers in LockBit Ransomware Attacks
The open-source digital forensics and incident response (DFIR) tool Velociraptor is being misused by threat actors in relation to ransomware assaults that were probably planned by Storm-2603 (also known as CL-CRI-1040 or Gold Salem), which is responsible for distributing the LockBit and Warlock malware
Last month, Sophos reported how the threat actor used the security tool. According to Cisco Talos, the attackers used the on-premises SharePoint flaws known as ToolShell to gain initial access and distribute an out-of-date version of Velociraptor (version 0.73.4.0), which is vulnerable to a privilege escalation vulnerability (CVE-2025-6264) that allows for arbitrary command execution and endpoint takeover.
Threat actors allegedly attempted to escalate privileges in the mid-August 2025 attack by establishing domain admin accounts, moving laterally within the compromised environment, and using the ability to run tools like Smbexec to remotely launch SMB-based programs.
The adversary has been observed to alter Active Directory (AD) Group Policy Objects (GPOs), disable real-time protection to tamper with system defenses, and avoid detection before data exfiltration and the dropping of Warlock, LockBit, and Babuk. According to the findings, Storm-2603 has never before been connected to the spread of Babuk ransomware.
Rapid7, the company that supports Velociraptor after purchasing it in 2021, previously informed The Hacker News that it is aware of the tool’s misuse and that, like other security and administration tools, it can be misused when in the wrong hands.
“This behavior reflects a misuse pattern rather than a software flaw: adversaries simply repurpose legitimate collection and orchestration capabilities,” Rapid7’s senior director of threat analytics, Christiaan Beek, claimed in reaction to the most recent attacks.
Halcyon claims that because Storm-2603 had early access to the ToolShell exploit and fresh samples that show professional-grade development procedures typical of highly skilled hacking groups, it is thought to have some similarities to Chinese nation-state hackers.
Since its initial appearance in June 2025, the ransomware team has utilized LockBit as a development foundation and an operating tool. Notably, Warlock was the last affiliate to register under the name “wlteaml” with the LockBit scheme prior to the data dump that occurred a month earlier.
“Warlock planned from the beginning to deploy multiple ransomware families to confuse attribution, evade detection, and accelerate impact,” the business stated. “Warlock demonstrates the discipline, resources, and access characteristic of nation-state–aligned threat actors, not opportunistic ransomware crews.”
Halcyon also drew attention to the threat actor’s 48-hour feature addition development cycles, which are indicative of organized team processes. It also stated that a team with specialized infrastructure and tools is suggested by this centralized, well-organized project organization.
Other noteworthy features that point to connections with Chinese state-sponsored actors are as follows:
- Usage of operational security (OPSEC) techniques, like purposefully tampered expiration mechanisms and timestamps that have been removed.
- At 22:58–22:59 China Standard Time, ransomware payloads were compiled, and at 01:55 the next day, they were packaged into a malicious installer.
- Coherent command-and-control (C2) operations rather than opportunistic infrastructure reuse are suggested by shared, misspelled domains and consistent contact information throughout Warlock, LockBit, and Babuk deployments.
A closer look at Storm-2603’s development path reveals that the threat actor built the AK47 C2 framework infrastructure in March 2025 and produced the tool’s initial prototype the following month. Additionally, it changed its deployment strategy in April from LockBit-only to dual LockBit/Warlock in less than 48 hours.
After that, it registered as a LockBit affiliate, but it kept working on its own ransomware until June, when it was officially released under the Warlock name. A few weeks later, on July 21, 2025, the threat actor was seen using the ToolShell exploit as a zero-day in conjunction with the Babuk ransomware.
“The group’s rapid evolution in April from the LockBit 3.0-only deployment to a multi-ransomware deployment 48 hours later, followed by Babuk deployment in July, shows operational flexibility, detection evasion capabilities, attribution confusion tactics, and sophisticated builder expertise using leaked and open-source ransomware frameworks,” Halcyon stated.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
‘Digital Nomad’ 25-Year-Old Sold ‘Crime As A Service’ Tools Hit 300+ Financial Targets
About Author
English