Velociraptor ransomware
Categories

Hackers Abuse Velociraptor DFIR Tool in LockBit and Warlock Ransomware Attacks

The Velociraptor digital forensics and incident response (DFIR) tool, an open-source utility maintained by Rapid7, has been repurposed by threat actors in a new wave of ransomware campaigns. Security researchers have confirmed that Storm-2603, also tracked as Gold Salem, is abusing outdated versions of Velociraptor alongside exploits for Microsoft SharePoint vulnerabilities to gain initial access, escalate privileges, and deploy ransomware families including LockBit, Warlock, and Babuk.

The attacks highlight a growing trend of cybercriminals weaponizing legitimate security tools against enterprise environments. By exploiting weaknesses in both public-facing applications and outdated software, adversaries have been able to create domain admin accounts, modify Active Directory Group Policy Objects (GPOs), disable security defenses, and move laterally across compromised networks. These findings mark the first documented case of Storm-2603 deploying Babuk ransomware, further expanding the threat group’s operational scope.

Researchers warn that the combination of SharePoint exploits, Velociraptor misuse, and multi-family ransomware deployment underscores the speed at which advanced groups adapt open-source tools for malicious purposes. With evidence pointing to ties between Storm-2603 and Chinese nation-state actors, the campaign demonstrates both the sophistication and global risk posed by organized ransomware operations in 2025.

Table of Contents

Overview of the Velociraptor Exploitation

Velociraptor is a widely used open-source digital forensics and incident response (DFIR) tool developed to help organizations investigate intrusions, collect forensic data, and manage incident response workflows. Since Rapid7 acquired the project in 2021, it has gained popularity across the security community for its flexibility and transparency. However, like many legitimate utilities, Velociraptor can also be misused when placed in the wrong hands.

In recent incidents, security researchers have uncovered evidence that threat actors associated with Storm-2603, also known as Gold Salem, have repurposed Velociraptor for malicious campaigns. Instead of using the tool for defense and investigation, adversaries deployed an outdated version (0.73.4.0) vulnerable to CVE-2025-6264, a privilege escalation flaw. By weaponizing this weakness, attackers were able to execute arbitrary commands and gain elevated control over targeted endpoints.

This marks a troubling shift in attacker methodology. Rather than relying solely on custom malware, groups like Storm-2603 are increasingly adopting trusted, open-source tools to blend in with legitimate activity. By doing so, they make detection and attribution more difficult for defenders while gaining access to powerful collection and orchestration features that were originally designed to help incident responders.

The exploitation of Velociraptor is part of a broader campaign that also leverages unpatched Microsoft SharePoint vulnerabilities. Together, these techniques allow adversaries to break into enterprise networks, escalate privileges, disable defenses, and pave the way for ransomware deployment. The findings demonstrate how quickly attackers adapt both vulnerabilities and security software for offensive use, raising new challenges for defenders in 2025.

Initial Access Through SharePoint Vulnerabilities

Attackers in this campaign have repeatedly targeted internet-facing Microsoft SharePoint servers to gain an initial foothold. The exploit chain known as ToolShell — which bundles multiple on-premise SharePoint flaws — has been abused to upload web shells and achieve remote code execution. Once a web shell is in place, adversaries can run arbitrary commands, drop further tooling, and establish persistent access without interactive user logins.

Reported incidents show the threat actors used targeted HTTP POST requests to place ASPX web shells on vulnerable SharePoint instances. From there, they downloaded additional utilities, including a Golang-based WebSockets server, to maintain access even if the web shell were removed. This approach gives attackers a robust, low-noise method to stage follow-on activity while avoiding straightforward detection.

The window for exploitation was amplified by delayed patching across affected organizations. Public-facing services that are not patched quickly become high-value targets because a single exploited SharePoint server can allow lateral movement into sensitive parts of the network. Security teams should treat exposed SharePoint servers as a critical attack surface and prioritize vulnerability scanning and patching for these systems.

Indicators tied to the ToolShell exploitation include unusual POST requests to SharePoint endpoints, unexpected creation of ASPX files in web directories, the presence of renamed utilities such as cloudflared or other remote-access binaries, and downloads originating from untrusted repositories. Monitoring for these signs can help defenders detect early compromise and interrupt the attacker kill chain before privilege escalation and ransomware deployment occur.

How Attackers Weaponized Velociraptor

Once attackers established initial access through vulnerable SharePoint servers, they deployed an outdated version of Velociraptor (0.73.4.0). This release contained a privilege escalation flaw tracked as CVE-2025-6264, which allowed adversaries to execute arbitrary commands and gain full control over endpoints. By exploiting a tool originally designed to help security teams investigate incidents, attackers inverted its purpose to orchestrate and scale their intrusions.

Sophos and Cisco Talos researchers noted that Storm-2603 used Velociraptor not only for command execution but also for collection and lateral movement. The tool’s native ability to gather forensic data and interact with multiple systems made it a powerful weapon once repurposed. With elevated privileges, attackers were able to create new domain administrator accounts, map networks, and pivot deeper into compromised environments.

This misuse reflects a broader trend in which legitimate IT and security tools are co-opted for malicious operations. The practice, sometimes called “living off the land,” helps adversaries hide in plain sight by blending malicious actions with normal administrative activity. In the Velociraptor case, defenders may overlook abnormal use because the tool itself is trusted and widely deployed in enterprise environments.

Security experts emphasize that this was not a vulnerability in Velociraptor’s intended functionality but rather a case of adversaries exploiting both an outdated version and its legitimate capabilities. Rapid7, which maintains the project, has reiterated that any powerful administrative tool can be abused when organizations fail to patch or monitor its use. For defenders, the key lesson is to treat security utilities with the same vigilance as any other high-risk software.

Ransomware Deployment: LockBit, Warlock, and Babuk

Following privilege escalation and network reconnaissance, Storm-2603 proceeded with ransomware deployment inside compromised environments. Researchers observed the group leveraging Velociraptor alongside other utilities such as Smbexec to execute programs remotely across Windows systems. This enabled them to disable defenses, expand access, and prepare systems for mass encryption.

Evidence shows that the attackers deployed multiple ransomware families in a single campaign. LockBit was used as both an operational tool and a foundation for further development, while Warlock ransomware emerged as the group’s custom strain. In some cases, investigators also confirmed the use of Babuk ransomware, marking the first time Storm-2603 has been directly tied to that variant. By launching more than one ransomware family, the actors aimed to confuse attribution, evade detection, and maximize disruption.

The Warlock ransomware campaign in particular was notable for its use of modified Active Directory Group Policy Objects (GPOs) to spread malware and tamper with security settings across the domain. Attackers disabled real-time protection, altered group policies, and exploited built-in Windows functionality to propagate their payload. Files encrypted by Warlock were appended with the “.x2anylock” extension, while ransom notes were dropped in affected directories.

Researchers also identified a strategy of deploying ransomware in multiple stages. Prior to encrypting files, the threat actors engaged in data exfiltration, stealing sensitive information for double-extortion pressure. This aligns with the tactics of many modern ransomware groups, where data theft is leveraged alongside file encryption to increase the likelihood of ransom payment.

The deployment of LockBit, Warlock, and Babuk in rapid succession illustrates the operational flexibility of Storm-2603. It also demonstrates the dangers of leaked ransomware builders and open-source frameworks, which enable actors to spin up new variants quickly. For defenders, these findings highlight the importance of layered defense, strict monitoring of privileged accounts, and immediate incident response once early indicators of compromise are detected.

Attribution and Suspected Links to Nation-State Actors

Attribution of ransomware activity is always complex, but multiple indicators suggest that Storm-2603 — also tracked as Gold Salem — may be operating with ties to Chinese state-sponsored actors. Several factors contribute to this assessment, including early access to zero-day vulnerabilities, professional development practices, and technical patterns observed during attacks.

Researchers have highlighted that Storm-2603 was among the first groups to weaponize the ToolShell exploit chain targeting Microsoft SharePoint servers. The ability to use a zero-day before it became widely known strongly suggests access to resources or partnerships beyond those of typical criminal affiliates. This early access is often associated with groups aligned to nation-state intelligence operations.

Operational analysis also points to professional-grade development workflows. Reports describe 48-hour development cycles for new ransomware features, consistent use of centralized infrastructure, and organized project management practices. Such efficiency and structure are uncommon in opportunistic cybercrime groups, but typical of advanced teams with dedicated staff and tooling.

Technical indicators add further weight to suspicions of Chinese involvement. Ransomware payloads linked to Storm-2603 have been compiled during late evening hours in China Standard Time, with packaging into installers occurring the following morning. The group has also taken careful operational security measures, such as stripping file timestamps and corrupting expiration metadata to complicate forensic analysis.

Although Storm-2603 has targeted victims globally, the group has largely avoided entities located in China and Russia. This selective targeting pattern is common among threat actors operating from within jurisdictions that discourage local attacks while tolerating or ignoring international campaigns. Combined with shared infrastructure across LockBit, Warlock, and Babuk deployments, analysts believe the group is more than an independent cybercriminal outfit — it represents a sophisticated adversary with potential nation-state backing.

Industry Response and Security Warnings

Security vendors and incident response teams have reacted swiftly to the discovery of Velociraptor misuse in ransomware campaigns. Sophos, Cisco Talos, and Rapid7 each released advisories stressing that the attacks represent a misuse of legitimate administrative tools rather than a flaw in Velociraptor itself. Rapid7 noted that while the utility remains a valuable tool for defenders, outdated versions containing vulnerabilities must be patched or replaced immediately to prevent abuse.

Researchers warn that this campaign highlights a larger problem: adversaries are increasingly “living off the land” by exploiting trusted utilities to mask their operations. By abusing security and administrative tools such as Velociraptor, attackers can blend into normal IT activity and evade detection. This makes continuous monitoring, anomaly detection, and detailed logging essential for organizations seeking to spot unusual use of legitimate software.

Defenders are urged to take several key steps in response to these findings:

  • Audit and patch any outdated versions of Velociraptor or other DFIR tools within enterprise environments.
  • Apply all available security updates for Microsoft SharePoint servers and other public-facing applications targeted by ToolShell exploits.
  • Enable multi-factor authentication (MFA) for administrative accounts and enforce least-privilege principles.
  • Increase monitoring for indicators of compromise such as unauthorized domain admin creation, GPO modification, and data exfiltration tools like RClone.
  • Consider deploying endpoint detection and response (EDR) solutions capable of identifying misuse of legitimate utilities.

Industry experts emphasize that prevention depends on a layered defense. Patch management, account security, and logging are critical, but so is the ability to respond rapidly when an intrusion is detected. Organizations are also advised to prepare incident response playbooks that account for attackers repurposing legitimate tools, as this tactic is becoming more common in ransomware operations worldwide.

Key Takeaways

The misuse of Velociraptor in recent LockBit, Warlock, and Babuk campaigns shows how quickly legitimate tools can be turned against the organizations that use them. By exploiting unpatched Microsoft SharePoint servers and deploying an outdated version of Velociraptor, Storm 2603 gained privileged access, created new administrator accounts, disabled security controls, and spread ransomware across networks.

Researchers point to evidence that Storm 2603 operates with resources and structure more advanced than typical criminal groups. Development timelines, organized workflows, and selective targeting patterns indicate a highly capable adversary, possibly with nation state support. The campaign demonstrates how attackers now combine exploits, open source utilities, and leaked ransomware builders to accelerate their operations.

For organizations, the lessons are clear. Keep defensive tools updated, patch internet facing systems quickly, and monitor for unusual use of administrative software. Enforce multi factor authentication on privileged accounts, limit access rights wherever possible, and prepare incident response plans that account for the misuse of trusted security utilities.

The Velociraptor attacks are a reminder that every tool in the environment, even one built to improve security, can become a weapon if it falls into the wrong hands. Vigilance, layered defenses, and proactive monitoring remain the strongest protection against these evolving ransomware threats.

Written by

Sean Doyle

Sean is a distinguished tech author and entrepreneur with over 20 years of extensive experience in cybersecurity, privacy, malware, Google Analytics, online marketing, and various other tech domains. His expertise and contributions to the industry have been recognized in numerous esteemed publications. Sean is widely acclaimed for his sharp intellect and innovative insights, solidifying his reputation as a leading figure in the tech community. His work not only advances the field but also helps businesses and individuals navigate the complexities of the digital world.

More Reading

Post navigation

Leave a Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.