- Threat actors linked to Storm-2603 are misusing Velociraptor, an open-source forensic tool, in Ransomware attacks.
- They exploited SharePoint vulnerabilities named ToolShell to gain initial access.
- The attackers used an outdated Velociraptor version vulnerable to privilege escalation (CVE-2025-6264) for endpoint control.
- Storm-2603 deployed Warlock, LockBit, and Babuk ransomware, showing operational sophistication and possible ties to Chinese state actors.
- The group demonstrates rapid ransomware development, multi-family deployment, and advanced evasion techniques.
Storm-2603, a ransomware group active in 2025, has been found using Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in ransomware campaigns. The attacks exploited on-premises SharePoint flaws known as ToolShell to break into systems and deliver an older Velociraptor version (0.73.4.0). This version had a known privilege escalation vulnerability (CVE-2025-6264), which allowed the attackers to execute arbitrary commands and take control of affected endpoints.
According to Cisco Talos, the attackers escalated privileges by creating domain administrator accounts and used lateral movement tools like Smbexec to spread within networks. Before deploying ransomware such as Warlock, LockBit, and Babuk, the group altered Active Directory Group Policy Objects (GPOs) and disabled real-time system defenses to avoid detection. This is the first documented link between Storm-2603 and Babuk ransomware.
Rapid7, the tool’s maintainer since 2021, acknowledged that tools like Velociraptor can be misused by adversaries when in the wrong hands. Christiaan Beek, Rapid7’s senior director of threat analytics, described this as, “a misuse pattern rather than a software flaw: adversaries simply repurpose legitimate collection and orchestration capabilities.”
Halcyon reported that Storm-2603 shows connections to Chinese nation-state actors based on early access to the ToolShell exploit and the professional quality of ransomware samples. The group’s use of multiple ransomware families aims to confuse attribution and evade defenses. Warlock, launched in June 2025, was designed to deploy several ransomware variants quickly, demonstrating sophisticated resources and structured workflows. This includes operational security measures like removing timestamps and compiling ransomware during specific hours aligned with China Standard Time.
Additional findings show Storm-2603 established infrastructure for the AK47 command-and-control framework in March 2025 and rapidly shifted from LockBit-only attacks to dual deployments involving LockBit and Warlock within 48 hours. After registering as a LockBit affiliate, the group continued developing its ransomware, deploying Babuk ransomware in July 2025 using the ToolShell zero-day exploit.
Halcyon highlighted the group’s quick adaptation and technical expertise, describing their tactics as, “operational flexibility, detection evasion capabilities, attribution confusion tactics, and sophisticated builder expertise using leaked and open-source ransomware frameworks.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Galaxy Digital gets $460M to turn Texas Bitcoin site into AI hub
- Bitcoin Plunges $12K in Minutes as Flash Crash Hits Crypto Market
- US Bitcoin ETFs See $2.71B Weekly Inflows, Boosting Uptober Momentum
- XRP Plunges 42% as Whales Trigger Massive Liquidations Friday
- Bitcoin Dips as Futures Leverage Resets; BNB, SOL Among Top Losers
