Full Report
Threat actors are abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks likely orchestrated by Storm-2603 (aka CL-CRI-1040 or Gold Salem), which is known for deploying the Warlock and LockBit ransomware. The threat actor's use of the security utility was documented by Sophos last month. It's assessed that the attackers
Analysis Summary
# Tool/Technique: Velociraptor (Weaponized)
## Overview
Velociraptor is an open-source Digital Forensics and Incident Response (DFIR) tool maintained by Rapid7. Attackers, specifically those associated with the LockBit ransomware operation (linked to Storm-2603), have repurposed this legitimate security utility to facilitate ransomware deployment, command execution, and lateral movement within compromised environments.
## Technical Details
- Type: Tool (Abused Legitimate Utility)
- Platform: Undefined (Implies Windows environments based on actions: SharePoint, SMBexec, AD manipulation)
- Capabilities: Remote data collection, command execution, endpoint takeover, orchestration (when used legitimately). In this attack, it was weaponized for command execution via a known vulnerability.
- First Seen: The specific abuse related to LockBit/Storm-2603 was documented in mid-August 2025.
## MITRE ATT&CK Mapping
The specific actions taken using the abused Velociraptor would map to several stages, particularly focusing on Execution and Defense Evasion, facilitated by an initial vulnerability exploitation:
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- **TA0005 - Defense Evasion**
- T1564.003 - Hide Artifacts: Network Share Discovery (if used for internal lateral movement/staging)
- **TA0008 - Lateral Movement**
- T1021.002 - Remote Services: Server Message Block (SMB) (via Smbexec usage)
(Note: The initial access via ToolShell and the exploitation of CVE-2025-6264 would precede the use of the weaponized Velociraptor.)
## Functionality
### Core Capabilities (Weaponized Use)
- Establishing a foothold post-initial access (via ToolShell exploitation).
- Privilege escalation using an outdated version (0.73.4.0) susceptible to CVE-2025-6264.
- Enabling arbitrary command execution on the endpoint.
- Facilitating lateral movement using tools like Smbexec for remote execution via SMB.
### Advanced Features
- Altering system defenses by turning off real-time protection to evade detection.
- Modifying Active Directory (AD) Group Policy Objects (GPOs) to maintain persistence or disable security controls across the domain.
- Used in conjunction with the deployment of Warlock, LockBit, and Babuk ransomware families.
## Indicators of Compromise
*Note: Specific IOCs for the weaponized Velociraptor binaries or C2 structure are not detailed in the context, but behavioral and associated indicators are present.*
- File Hashes: [Not specified]
- File Names: [Not specified]
- Registry Keys: [Not specified]
- Network Indicators: [Not specified for Velociraptor C2, but associated C2 infrastructure is implied shared and misspelled across ransomware deployments]
- Behavioral Indicators:
- Installation/execution of Velociraptor version 0.73.4.0 used to achieve arbitrary command execution.
- Attempts to create domain admin accounts.
- Use of Smbexec for remote program launch over SMB.
- Disabling of real-time monitoring/antivirus capabilities.
- Modification of AD GPOs.
## Associated Threat Actors
- **Storm-2603** (also known as CL-CRI-1040 or Gold Salem)
- Associated ransomware families: LockBit, Warlock, and Babuk.
- Assessed to have connections to Chinese nation-state actors due to development practices and early exploit access (ToolShell).
## Detection Methods
- **Signature-based detection:** Potentially signature-based detection on the outdated Velociraptor binary version (0.73.4.0).
- **Behavioral detection:** Monitoring for administrative tools being used for malicious purposes, specifically:
- Privilege escalation attempts targeting CVE-2025-6264 exploitation path.
- Sudden disabling of real-time protection services.
- Creation of domain administrator accounts.
- Use of file-sharing protocols (SMB) alongside remote execution utilities (like Smbexec) following initial exploitation.
- **YARA rules:** [Not specified]
## Mitigation Strategies
- **Prevention measures:**
- Patching systems immediately to defend against the known privilege escalation vulnerability in older Velociraptor versions (CVE-2025-6264).
- Implementing robust endpoint detection and response (EDR) focusing on legitimate tool misuse.
- Restricting administrative tool execution via application control policies.
- **Hardening recommendations:**
- Ensure all internally deployed DFIR tools are kept up-to-date (Rapid7 maintains Velociraptor, advising users against outdated versions).
- Enforce Principle of Least Privilege (PoLP) to limit the impact of successful privilege escalation.
- Harden Active Directory and monitor GPO modification activities closely.
## Related Tools/Techniques
- **LockBit Ransomware:** The final payload deployed by the actor.
- **Warlock Ransomware:** Another ransomware used by the actor, suggesting confusion tactics.
- **Babuk Ransomware:** Also deployed by the actor in this observed campaign.
- **ToolShell:** The initial remote access mechanism targeting on-premises SharePoint vulnerabilities.
- **Smbexec:** Used for lateral movement and remote command execution.