In a concerning development that highlights the growing sophistication of modern cybercriminal operations, security researchers have confirmed that threat actors are weaponizing Velociraptor, a legitimate open-source digital forensics and incident response tool, to conduct ransomware attacks. This represents a troubling evolution in attack methodologies, where tools designed to protect organizations are being turned against them.

The Attack Campaign

Cisco Talos researchers first identified this activity in August 2025 while responding to a multi-vector ransomware incident. The attacks have been attributed with moderate confidence to Storm-2603, a suspected China-based threat actor group also tracked as CL-CRI-1040 and Gold Salem. This group first emerged in June 2025 and has quickly established itself as a sophisticated operation known for deploying multiple ransomware variants including Warlock, LockBit, and Babuk.

The threat actors gained initial access by exploiting SharePoint vulnerabilities collectively known as ToolShell. Once inside the target environment, they deployed an outdated version of Velociraptor (version 0.73.4.0) that contains a critical privilege escalation vulnerability tracked as CVE-2025-6264. This vulnerability allows attackers to execute arbitrary commands with SYSTEM-level privileges, effectively granting them complete control over compromised endpoints.

Tactical Execution

The sophistication of this campaign becomes evident when examining the attack chain. After establishing initial access, the threat actors created multiple local administrator accounts synchronized with Azure Entra ID, providing them with persistent access across the environment. They then infiltrated VMware vSphere consoles and installed the vulnerable Velociraptor version on both Windows and VMware ESXi systems.

Using the compromised DFIR tool, the attackers executed reconnaissance commands to map the network and identify valuable targets. They manipulated scheduled tasks to maintain persistence and disabled Microsoft Defender’s real-time protection features to avoid detection. The threat actors also modified Active Directory Group Policy Objects to facilitate their lateral movement and establish control across the domain.

For remote program execution, Storm-2603 employed Impacket smbexec-style commands, leveraging the SMB protocol to launch tools and payloads across multiple systems simultaneously. This approach allowed them to move quickly through the environment while maintaining a relatively low profile compared to noisier attack methods.

Before encrypting systems, the attackers exfiltrated sensitive data to maximize the impact of their extortion attempts. They then deployed three different ransomware variants: Warlock, LockBit, and Babuk. This marks the first time Storm-2603 has been observed using Babuk ransomware, demonstrating the group’s evolving capabilities and operational flexibility.

The Bigger Picture

The abuse of Velociraptor highlights a broader trend in cybersecurity where attackers increasingly leverage legitimate administrative and security tools to evade detection. These tools are commonly present in enterprise environments and their network traffic typically does not trigger security alerts, making them ideal for maintaining persistent access while blending into normal administrative activities.

Rapid7, which acquired Velociraptor in 2021 and maintains the project, acknowledged awareness of the tool’s misuse. Christiaan Beek, Rapid7’s senior director of threat analytics, characterized the situation as a misuse pattern rather than a fundamental software flaw. Adversaries are simply repurposing legitimate collection and orchestration capabilities that the tool was designed to provide to security teams.

This perspective underscores an uncomfortable reality in cybersecurity. Many powerful tools that security professionals rely on can be equally effective in the hands of attackers. The challenge lies not in eliminating these capabilities, but in implementing robust detection mechanisms that can distinguish between legitimate administrative use and malicious activity.

Nation-State Connections

Analysis from multiple security firms suggests Storm-2603 may have connections to Chinese nation-state actors. Several indicators support this assessment. The group demonstrated early access to the ToolShell exploit, utilizing it as a zero-day vulnerability before it became widely known. The ransomware samples exhibit professional-grade development practices consistent with sophisticated state-aligned hacking groups rather than opportunistic criminal operations.

Halcyon researchers identified specific operational patterns that point toward state sponsorship. The group maintains 48-hour development cycles for feature additions, reflecting structured team workflows and professional project management. Timestamps from compiled ransomware payloads consistently show creation between 22:58 and 22:59 China Standard Time, with malicious installers packaged at 01:55 the following morning. This consistency suggests a disciplined operation working on a regular schedule rather than an ad-hoc criminal enterprise.

The threat actors also demonstrate advanced operational security measures. They strip timestamps from their tools, intentionally corrupt expiration mechanisms to hinder analysis, and maintain cohesive command-and-control infrastructure across multiple ransomware variants. The consistent contact information and shared domains across Warlock, LockBit, and Babuk deployments indicate centralized operations rather than opportunistic reuse of infrastructure.

Rapid Evolution Timeline

Storm-2603’s development timeline reveals remarkable operational agility. The group established infrastructure for their AK47 command-and-control framework in March 2025 and created the first prototype in April. Initially, they deployed only LockBit ransomware, but within 48 hours pivoted to dual LockBit and Warlock deployment. While continuing to develop their proprietary ransomware, they registered as a LockBit affiliate. Notably, Warlock was the final affiliate registered with the LockBit operation before the scheme suffered a major data leak.

The group officially launched Warlock ransomware under its own branding in June 2025. By July, they had expanded their arsenal to include Babuk ransomware and were actively exploiting ToolShell as a zero-day vulnerability. This rapid progression from initial infrastructure establishment to multi-ransomware deployment demonstrates operational flexibility, sophisticated builder expertise, and deliberate detection evasion tactics.

Implications for Defense

This campaign presents significant challenges for security teams. Traditional security monitoring often struggles to flag activity from legitimate administrative tools, as these are expected components of enterprise environments. Defenders must develop more nuanced detection strategies that examine behavioral patterns and contextual indicators rather than relying solely on signature-based detection.

Organizations should implement rigorous controls around privileged accounts and carefully monitor for the creation of new administrative accounts, particularly those synchronized with cloud identity platforms. Anomalous use of administrative tools outside normal business hours or by accounts that do not typically perform such functions should trigger investigation. Changes to Group Policy Objects, particularly those affecting security controls, require immediate scrutiny regardless of the account making the modifications.

Keeping all software, including security and administrative tools, updated to the latest versions is essential. The fact that Storm-2603 specifically deployed an outdated, vulnerable version of Velociraptor demonstrates how attackers actively seek out and exploit known vulnerabilities in legitimate tools. Organizations using Velociraptor or similar DFIR tools should ensure they are running current versions and monitoring for unauthorized deployments.

Conclusion

The weaponization of Velociraptor in ransomware attacks serves as a stark reminder that the distinction between offensive and defensive security tools often exists only in the intent of the user. As threat actors continue to evolve their tactics and leverage legitimate infrastructure to mask their activities, security teams must adapt their detection and response strategies accordingly.

The Storm-2603 campaign demonstrates the sophistication that modern ransomware operations can achieve, particularly when potentially backed by nation-state resources. The rapid development cycles, professional operational patterns, and strategic use of multiple ransomware variants reflect capabilities well beyond those of typical cybercriminal groups.

Organizations must recognize that effective security in this environment requires defense in depth. No single control or technology can provide complete protection against determined, sophisticated adversaries. Instead, security programs must layer multiple defensive measures, implement robust monitoring and detection capabilities, and maintain the ability to respond quickly when indicators of compromise are identified. The abuse of trusted tools makes this more challenging, but understanding these tactics is the first step toward developing effective countermeasures.