Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks

Steven

Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks

Summary

Threat actors associated with Storm-2603 (aka CL-CRI-1040 / Gold Salem) have been observed weaponising Velociraptor — an open-source DFIR tool — as part of multi-family ransomware operations that include Warlock, LockBit and, for the first time linked to this actor, Babuk. Attackers exploited on-premises SharePoint vulnerabilities (ToolShell) for initial access and deployed an outdated Velociraptor build (v0.73.4.0) vulnerable to privilege escalation (CVE-2025-6264) to execute arbitrary commands and take over endpoints.

The intrusions involved lateral movement (including Smbexec), creation of domain admin accounts, modification of Active Directory Group Policy Objects, disabling real-time protection and data exfiltration prior to dropping ransomware. Rapid7 (maintainer of Velociraptor) acknowledges the tool can be abused, and reporting from Sophos, Cisco Talos and Halcyon links the activity to a structured, fast-moving team with tactics consistent with nation-state–grade operations.

Key Points

  • Attackers used the ToolShell SharePoint exploit for initial access and delivered an outdated Velociraptor (v0.73.4.0) vulnerable to CVE-2025-6264.
  • Velociraptor’s legitimate collection and orchestration capabilities were repurposed to achieve privilege escalation and remote endpoint control.
  • Storm-2603 deployed multiple ransomware families (Warlock, LockBit and Babuk) in the same campaign to confuse attribution and increase impact.
  • Adversaries performed AD GPO modifications, created domain admin accounts, disabled endpoint protections and used Smbexec for lateral movement.
  • Indicators of a sophisticated, organised actor include rapid 48-hour development cycles, centralised tooling (AK47 C2), OPSEC measures and compilation timestamps tied to China Standard Time.
  • Rapid7 and security vendors warn that DFIR/admin tools can be abused when misused; this is a misuse pattern rather than a flaw in many cases.
  • Mitigations: patch Velociraptor and SharePoint, monitor for unusual Velociraptor activity, harden AD/GPO change monitoring, enforce EDR protections and restrict SMB remote execution tools.

Content summary

The article outlines how a criminal group linked to Storm-2603 leveraged a SharePoint zero-day (ToolShell) to gain initial access and dropped an old Velociraptor build that allowed privilege escalation via CVE-2025-6264. Attackers then moved laterally, escalated privileges to domain admin, altered AD Group Policy Objects and turned off real-time defences to avoid detection. Before encrypting systems, they exfiltrated data and deployed multiple ransomware families — Warlock, LockBit and Babuk — as part of an operational playbook designed to muddy attribution and maximise damage.

Security vendors (Rapid7, Sophos, Cisco Talos, Halcyon) have documented the campaign and highlighted operational features suggesting a well-resourced and organised team, including rapid feature development, centralised C2 infrastructure and deliberate OPSEC behaviours. The report stresses that legitimate DFIR tools can be repurposed by attackers and underlines the need for defenders to monitor for unexpected usage of such tools and to apply timely patches.

Context and relevance

This incident sits at the intersection of vulnerability exploitation, abuse of legitimate security tooling and multi-ransomware tactics. It underscores two ongoing trends: 1) attackers increasingly weaponise open-source/admin tools, and 2) ransomware actors adopt development discipline and OPSEC usually seen in state-aligned groups. Organisations that rely on on-prem SharePoint, use Velociraptor or have permissive AD/GPO practices should treat this as a high-risk scenario and prioritise detection and patching accordingly.

Why should I read this?

If you look after Windows estates, SharePoint, AD or DFIR tooling — pay attention. This isn’t just another ransomware write-up: it’s a clear example of how attackers reuse legit security tools to pivot, escalate and hide. We’ve read the messy details so you don’t have to — patch, watch for Velociraptor activity, lock down AD/GPO changes and block unexpected SMB-based remote execution. Quick fixes now will save a lot of pain later.

Source

Source: https://thehackernews.com/2025/10/hackers-turn-velociraptor-dfir-tool.html