Post views: 1

Velociraptor DFIR tool is being used as a weapon by hackers in LockBit Ransomware attacks

The open source digital forensics and incident response (DFIR) tool Velociraptor is being misused by threat actors in connection with ransomware attacks that may have been planned by Storm-2603 (also known as CL-CRI-1040 or Gold Salem), which is responsible for distributing the LockBit and Warlock malware.

Last month, Sophos reported on how a threat actor was using the security tool. according to Cisco Talosattackers used a local SharePoint flaw known as ToolShell to gain initial access and distribute an outdated version of Velociraptor (version 0.73.4.0), which is vulnerable to a privilege escalation vulnerability (CVE-2025-6264) which allows execution of arbitrary commands and takeover of the endpoint.

The threat actors allegedly attempted to escalate privileges in the mid-August 2025 attack by creating domain administrator accounts, moving horizontally within the compromised environment, and using the ability to run tools such as Smbexec to remotely launch SMB-based software.

The adversary has been observed altering Active Directory (AD) Group Policy Objects (GPOs), disabling real-time protection to manipulate system defenses, and evading detection before exfiltrating data and dropping Warlock, LockBit, and Babuk. According to the results, Storm-2603 has not previously been linked to the Babok ransomware outbreak.

Rapid7, the company backing Velociraptor after purchasing it in 2021, previously told The Hacker News that it was aware of the tool’s misuse, and that, like other security and management tools, it could be abused when in the wrong hands.

“This behavior reflects a pattern of misuse rather than a software flaw: adversaries are simply reusing legitimate collection and coordination capabilities,” Christian Beck, senior director of threat analytics at Rapid7, said in response to the recent attacks.

Halcyon claims that because Storm-2603 had early access to the ToolShell exploit and new samples that show professional development procedures typical of highly skilled hacking groups, it is believed to have some similarities to Chinese nation-state hackers.

since then Initial debut in June 2025,The ransomware team used LockBit as the development basis and operating tool. Notably, Warlock was the last affiliate to register under the name “wlteaml” in the LockBit scheme before the data dump that occurred a month ago.

“Warlock planned from the beginning to deploy multiple families of ransomware to confuse attribution, avoid detection, and accelerate impact.” Business reported. “Warlock exhibits the discipline, resources, and access characteristics of nation-state-aligned threat actors, not opportunistic ransomware crews.”

Halcyon also drew attention to the threat actor’s 48-hour feature addition development cycles, which refers to structured team processes. He also stated that a team with specialized infrastructure and tools is being proposed by a well-organized central project organization.

Other noteworthy features indicating ties with Chinese state-sponsored actors are as follows:

• Use of operational security (OPSEC) techniques, such as intentionally manipulated expiration mechanisms and removed timestamps.
• At 22:58 – 22:59 China Standard Time, the ransomware payloads were compiled, and at 01:55 the next day, they were compiled into a malicious installer.
• Cohesive command and control (C2) operations are proposed rather than opportunistic infrastructure reuse through misspelled shared domains and consistent contact information across Warlock, LockBit, and Babuk deployments.

A closer look at Storm-2603’s development path reveals that the threat actor built the infrastructure for the AK47 C2 framework in March 2025 and produced the prototype of the tool the following month. Additionally, it changed its deployment strategy in April from LockBit only to dual LockBit/Warlock in less than 48 hours.

After that, it was registered as a subsidiary of LockBit, but continued to work on its ransomware until June, when it was officially released under the name Warlock. A few weeks later, on July 21, 2025, the threat actor was seen using the ToolShell vulnerability as a zero-day vulnerability in conjunction with the Babuk ransomware.

“The group’s rapid evolution in April from deploying only LockBit 3.0 to deploying multiple ransomware 48 hours later, followed by the Babuk deployment in July, demonstrates operational agility, capabilities for detection evasion and attribution confusion tactics, and cutting-edge building expertise using leaked and open source ransomware frameworks,” Halcyon said.

About the author:

Yogesh Nagar He is a content marketer specializing in the cybersecurity and B2B space. Besides writing for News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

Read more:

Digital Nomad’s 25-Year-Old Crime-as-a-Service Tools Reaches 300+ Financial Goals

About the author