By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
World of SoftwareWorld of SoftwareWorld of Software
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Search
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
Reading: Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks
Share
Sign In
Notification Show More
Font ResizerAa
World of SoftwareWorld of Software
Font ResizerAa
  • Software
  • Mobile
  • Computing
  • Gadget
  • Gaming
  • Videos
Search
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Have an existing account? Sign In
Follow US
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
World of Software > Computing > Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks
Computing

Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks

News Room
Last updated: 2025/10/11 at 9:18 AM
News Room Published 11 October 2025
Share
SHARE

Oct 11, 2025Ravie LakshmananNetwork Security / Vulnerability

Threat actors are abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks likely orchestrated by Storm-2603 (aka CL-CRI-1040 or Gold Salem), which is known for deploying the Warlock and LockBit ransomware.

The threat actor’s use of the security utility was documented by Sophos last month. It’s assessed that the attackers weaponized the on-premises SharePoint vulnerabilities known as ToolShell to obtain initial access and deliver an outdated version of Velociraptor (version 0.73.4.0) that’s susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover, per Cisco Talos.

In the attack in mid-August 2025, the threat actors are said to have made attempts to escalate privileges by creating domain admin accounts and moving laterally within the compromised environment, as well as leveraging the access to run tools like Smbexec to remotely launch programs using the SMB protocol.

Prior to data exfiltration and dropping Warlock, LockBit, and Babuk, the adversary has been found to modify Active Directory (AD) Group Policy Objects (GPOs), turn off real-time protection to tamper with system defenses, and evade detection. The findings mark the first time Storm-2603 has been linked to the deployment of Babuk ransomware.

DFIR Retainer Services

Rapid7, which maintains Velociraptor after acquiring it in 2021, previously told The Hacker News that it’s aware of the misuse of the tool, and that it can also be abused when in the wrong hands, just like other security and administrative tools.

“This behavior reflects a misuse pattern rather than a software flaw: adversaries simply repurpose legitimate collection and orchestration capabilities,” Christiaan Beek, Rapid7’s senior director of threat analytics, said in response to the latest reported attacks.

According to Halcyon, Storm-2603 is believed to share some connections to Chinese nation-state actors owing to its early access to the ToolShell exploit and the emergence of new samples that exhibit professional-grade development practices consistent with sophisticated hacking groups.

The ransomware crew, which first emerged in June 2025, has since used LockBit as both an operational tool and a development foundation. It’s worth noting that Warlock was the final affiliate registered with the LockBit scheme under the name “wlteaml” before LockBit suffered a data leak a month before.

“Warlock planned from the beginning to deploy multiple ransomware families to confuse attribution, evade detection, and accelerate impact,” the company said. “Warlock demonstrates the discipline, resources, and access characteristic of nation-state–aligned threat actors, not opportunistic ransomware crews.”

Halcyon also pointed out the threat actor’s 48-hour development cycles for feature additions, reflective of structured team workflows. This centralized, organized project structure suggests a team with dedicated infrastructure and tooling, it added.

Other notable aspects that suggest ties to Chinese state-sponsored actors include –

  • Use of operational security (OPSEC) measures, such as stripped timestamps and intentionally corrupted expiration mechanisms
  • The compilation of ransomware payloads at 22:58-22:59 China Standard Time and packaging them into a malicious installer at 01:55 the next morning
  • Consistent contact information and shared, misspelled domains across Warlock, LockBit, and Babuk deployments, suggesting cohesive command-and-control (C2) operations and not opportunistic infrastructure reuse
CIS Build Kits

A deeper examination of Storm-2603’s development timeline has uncovered that the threat actor established the infrastructure for AK47 C2 framework in March 2025, and then created the first prototype of the tool the next month. In April, it also pivoted from LockBit-only deployment to dual LockBit/Warlock deployment within a span of 48 hours.

While it subsequently registered as a LockBit affiliate, work continued on its own ransomware until it was formally launched under the Warlock branding in June. Weeks later, the threat actor was observed leveraging the ToolShell exploit as a zero-day while also deploying Babuk ransomware starting July 21, 2025.

“The group’s rapid evolution in April from the LockBit 3.0-only deployment to a multi-ransomware deployment 48 hours later, followed by Babuk deployment in July, shows operational flexibility, detection evasion capabilities, attribution confusion tactics, and sophisticated builder expertise using leaked and open-source ransomware frameworks,” Halcyon said.

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Twitter Email Print
Share
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Previous Article I’ve been looking for a killer email app, and this might be it
Next Article How Scientists Rediscovered This Rare And Elusive Bird That We Thought Was Extinct For 100 Years – BGR
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected

248.1k Like
69.1k Follow
134k Pin
54.3k Follow

Latest News

Hey Google, why do I need an iPhone to use my favorite Google Photos feature?
News
Alipay ramps up efforts to monetize huge user base amid fierce competition with WeChat · TechNode
Computing
Keycap Shape Matters More To Your Keyboard Than You Think
News
'The Chair Company': Release Schedule and How to Watch
News

You Might also Like

Computing

Alipay ramps up efforts to monetize huge user base amid fierce competition with WeChat · TechNode

3 Min Read
Computing

NIO battery swap stations facilitate peak-off-peak load shifting in Denmark · TechNode

1 Min Read
Computing

5 free apps I always install first on new iPhone

7 Min Read
Computing

Luckin Coffee sees profit margin drop 10% in Q4 despite revenue surpassing Starbucks by $260 million · TechNode

1 Min Read
//

World of Software is your one-stop website for the latest tech news and updates, follow us now to get the news that matters to you.

Quick Link

  • Privacy Policy
  • Terms of use
  • Advertise
  • Contact

Topics

  • Computing
  • Software
  • Press Release
  • Trending

Sign Up for Our Newsletter

Subscribe to our newsletter to get our newest articles instantly!

World of SoftwareWorld of Software
Follow US
Copyright © All Rights Reserved. World of Software.
Welcome Back!

Sign in to your account

Lost your password?