Threat actors are exploiting Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks believed to be orchestrated by Storm-2603 (also known as CL-CRI-1040 or Gold Salem), known for deploying Warlock and LockBit ransomware.
The use of security utilities by threat actors was documented by Sophos last month. According to Cisco Talos, the attackers are assessed to have gained initial access by leveraging an on-premises SharePoint vulnerability known as ToolShell to deliver an older version of Velociraptor (version 0.73.4.0) that is susceptible to an elevation of privilege vulnerability (CVE-2025-6264), allowing them to execute arbitrary commands and take over endpoints.
In the mid-August 2025 attack, the attackers allegedly created a domain administrator account and attempted to escalate privileges by moving laterally within the compromised environment, as well as leveraging access to run tools such as Smbexec to remotely launch programs using the SMB protocol.
Before exfiltrating data and dropping Warlock, LockBit, and Babuk, attackers have been found to modify Active Directory (AD) Group Policy Objects (GPOs) to turn off real-time protection and tamper with system defenses to evade detection. These findings are the first to link Storm-2603 to Babuk ransomware deployments.
Rapid7, which maintains Velociraptor after acquiring it in 2021, previously told The Hacker News that it is aware of the abuse of the tool and, like any security or management tool, it can be exploited in the wrong hands.
“This behavior reflects a pattern of exploitation rather than a software flaw. The attackers are simply reusing legitimate collection and orchestration capabilities,” said Christiaan Beek, senior director of threat analysis at Rapid7, in response to the recently reported attack.
According to Halcyon, Storm-2603 is believed to have some ties to Chinese nation-state attackers due to early access to the ToolShell exploit and the emergence of new samples exhibiting professional-level development techniques consistent with advanced hacking groups.
The ransomware collective, which first emerged in June 2025, has been using LockBit as both an operational tool and a development platform ever since. It is worth noting that Warlock was the last affiliate registered with the LockBit scheme under the name “wlteaml” before LockBit suffered a data breach a month ago.
“From the beginning, Warlock planned to deploy multiple ransomware families to confuse attribution, evade detection, and accelerate impact,” the company said. “Warlock demonstrates the discipline, resources, and access that are hallmarks of a nation-state-aligned threat actor rather than an opportunistic ransomware group.”
Halcyon also noted that attackers spend 48-hour development cycles adding functionality, reflecting a structured team workflow. He added that this centralized and organized project structure suggests a team with dedicated infrastructure and tools.
Other notable aspects that suggest connections with Chinese state-sponsored actors include:
The use of operational security (OPSEC) measures such as timestamp stripping and intentionally corrupted expiration mechanisms The ransomware payload is compiled between 22:58 and 22:59 China Standard Time and packaged into a malicious installer at 01:55 the next morning Consistent command and control (C2) operations and not opportunistic infrastructure reuse
A closer look at Storm-2603’s development timeline revealed that the attackers established the AK47 C2 framework infrastructure in March 2025 and created the first prototype of the tool the following month. In April, we went from a LockBit-only deployment to a dual LockBit/Warlock deployment within 48 hours.
The company was subsequently registered as a LockBit affiliate, but continued to develop its own ransomware until officially launching under the Warlock brand in June. A few weeks later, this attacker was also observed deploying Babuk ransomware starting July 21, 2025, leveraging a ToolShell exploit in a zero-day attack.
“The group’s rapid evolution from a LockBit 3.0-only deployment in April to a multi-ransomware deployment 48 hours later, followed by the Babak deployment in July, demonstrates the builder’s sophisticated expertise in operational flexibility, evasion capabilities, attribute confusion tactics, and leaked open source ransomware frameworks,” Halcyon said.
Source link
