Velociraptor abused in LockBit/Warlock ops
Sophos and others observed Storm-2603 (aka Gold Salem) abusing Velociraptor, an open-source DFIR tool, in ransomware campaigns delivering Warlock, LockBit, and Babuk. Initial access came via SharePoint ToolShell exploits; the actors installed an old Velociraptor (0.73.4.0) with CVE-2025-6264 privilege-escalation to run arbitrary commands and take over endpoints. They created domain admin accounts, moved laterally (e.g., Smbexec), modified GPOs, and disabled protections before exfiltration and encryption. Analysts note Chinese-nexus indicators and rapid 48-hour development cycles. Rapid7 (maintainer) warns any admin tool can be misused.
When blue-team tools go bad: Velociraptor as a weapon.
Velociraptor is a brilliant DFIR tool—until the attackers run it first. Researchers link Storm-2603 with campaigns that break in via SharePoint ToolShell exploits, then drop an older Velociraptor (0.73.4.0) because it contains CVE-2025-6264 for cheeky privilege-escalation. With control in hand, they spin up domain admin accounts, roam the network with Smbexec, tweak GPOs, disable AV, and finally unleash Warlock, LockBit, or even Babuk ransomware for maximum chaos.
This isn’t a flaw in modern Velociraptor—it’s the classic “dual-use” problem. As Rapid7 puts it, tools built to collect artefacts and orchestrate responses can be hijacked for exactly the same reasons defenders love them.
Defensive homework
• Patch SharePoint fast; hunt for ToolShell indicators.
• Block/alert on unapproved Velociraptor binaries and services; verify versions.
• Constrain GPO changes; alert on new Domain Admins and unusual Smbexec use.
• Egress control and MFA on admin paths; keep backups immutably off-domain.
Attribution tea leaves point to a China-nexus actor with disciplined 48-hour build cycles. Labels aside, the lesson is simpler: if the adversary can run your tools, they will—so harden where they’d start