399/68 Tuesday, October 14, 2025
Threat actors tracked as Storm-2603-also known as CL-CRI-1040 and Gold Salem-have been observed weaponizing Velociraptor, an open-source digital forensics and incident response (DFIR) tool widely used by security professionals, turning it into a weapon for ransomware attacks. According to Cisco Talos, the group exploited a SharePoint vulnerability dubbed “ToolShell” to gain initial access into victim environments. They then installed an outdated version of Velociraptor containing a known security flaw (CVE-2025-6264) to escalate privileges to full system administrator rights, granting them complete control of compromised machines. This access was subsequently leveraged to deploy ransomware strains including Warlock, LockBit, and-most notably for the first time-Babuk, marking Storm-2603’s confirmed involvement with Babuk operations.
The group’s attack chain is highly structured and systematic. After achieving privilege escalation, they move laterally within victim networks using tools like Smbexec to execute remote commands. They then modify Group Policy Objects (GPOs) to disable antivirus and other security defenses, ensuring stealth. Once defenses are neutralized, they proceed to exfiltrate sensitive data and ultimately encrypt victim files to demand ransom. Rapid7, which acquired Velociraptor in 2021, emphasized that this incident does not stem from inherent flaws in the tool itself but from its misuse by malicious actors-a common attack pattern when legitimate admin tools are repurposed by adversaries.
What makes this case particularly concerning is mounting evidence that Storm-2603 may be linked to state-sponsored Chinese threat groups. Indicators include their access to the ToolShell exploit prior to public disclosure (zero-day), their ability to roll out new malware features within 48 hours, sophisticated operational security practices to obscure activity, and malware compilation times aligning with China Standard Time (CST). These hallmarks suggest discipline, resources, and privileged access more typical of a large-scale, state-backed operation than of ordinary cybercriminal opportunists.
Source https://thehackernews.com/2025/10/hackers-turn-velociraptor-dfir-tool.html
