Threat actors are exploiting Velociraptor, a legitimate open-source DFIR tool, to facilitate ransomware operations linked to Storm-2603, a threat group using LockBit, Warlock, and Babuk ransomware. Their sophisticated tactics include exploiting SharePoint vulnerabilities, privilege escalation, and manipulating Active Directory, indicating a highly organized cybercrime operation possibly linked to Chinese state actors. #Velociraptor #Storm2603 #LockBit #Warlock #Babuk #ToolShell
Keypoints
- Threat actors misuse Velociraptor to support ransomware campaigns, weaponizing legitimate tools for malicious purposes.
- Storm-2603 has deployed multiple ransomware families, notably LockBit, Warlock, and Babuk, with a focus on operational flexibility and evasion.
- The group exploits SharePoint ToolShell vulnerabilities to gain initial access and escalate privileges effectively.
- Attackers modify Active Directory GPOs and disable security features to evade detection and maintain persistence.
- Indicators suggest Storm-2603 has links to Chinese nation-state actors, exhibiting advanced development practices and operational security measures.
Read More: https://thehackernews.com/2025/10/hackers-turn-velociraptor-dfir-tool.html