Exploits Velociraptor DFIR Tool in Sophisticated Ransomware Attacks Involving Warlock, LockBit

Threat actor Storm-2603, also known as Gold Salem, is weaponizing the Velociraptor DFIR tool in targeted ransomware attacks exploiting SharePoint vulnerabilities via ToolShell. According to Cisco Talos and Sophos, attackers deployed a vulnerable version of Velociraptor (v0.73.4.0) to escalate privileges and conduct lateral movement, ultimately delivering Warlock, LockBit, and—for the first time—Babuk ransomware. The campaign includes Active Directory tampering, evasion tactics, and signs of nation-state-level discipline, fueling suspicions of links to Chinese APT groups.

Cisco Talos reports that attackers exploited on-premises SharePoint vulnerabilities, collectively tracked as ToolShell, to gain initial access and deploy an outdated version of Velociraptor (v0.73.4.0). This version contains a known privilege escalation flaw (CVE-2025-6264), enabling arbitrary command execution and full endpoint takeover.

During the mid-August 2025 attack, threat actors attempted to escalate privileges by creating domain admin accounts and moving laterally across the compromised network. They leveraged tools like Smbexec to remotely execute programs over the SMB protocol, further deepening their foothold within the environment.

Cisco Talos highlighted detection guidance from Rapid7, noting that while Velociraptor is designed to generate “easy to detect” indicators of compromise (IoCs) when misused, attackers can alter the open-source tool to evade these signals. Rapid7 warned that such modified versions will typically be unsigned or signed by unknown entities—anomalies that should be flagged during threat hunting or incident response.