BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Storm-2603 Exploits Velociraptor DFIR in Multi-Ransomware Attacks

Storm-2603 exploits SharePoint vulnerability and misuses Velociraptor for sophisticated multi-ransomware operations linked to Chinese state actors

  • Threat actors linked to Storm-2603 are misusing Velociraptor, an open-source forensic tool, in Ransomware attacks.
  • They exploited SharePoint vulnerabilities named ToolShell to gain initial access.
  • The attackers used an outdated Velociraptor version vulnerable to privilege escalation (CVE-2025-6264) for endpoint control.
  • Storm-2603 deployed Warlock, LockBit, and Babuk ransomware, showing operational sophistication and possible ties to Chinese state actors.
  • The group demonstrates rapid ransomware development, multi-family deployment, and advanced evasion techniques.

Storm-2603, a ransomware group active in 2025, has been found using Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in ransomware campaigns. The attacks exploited on-premises SharePoint flaws known as ToolShell to break into systems and deliver an older Velociraptor version (0.73.4.0). This version had a known privilege escalation vulnerability (CVE-2025-6264), which allowed the attackers to execute arbitrary commands and take control of affected endpoints.

- Advertisement -

According to Cisco Talos, the attackers escalated privileges by creating domain administrator accounts and used lateral movement tools like Smbexec to spread within networks. Before deploying ransomware such as Warlock, LockBit, and Babuk, the group altered Active Directory Group Policy Objects (GPOs) and disabled real-time system defenses to avoid detection. This is the first documented link between Storm-2603 and Babuk ransomware.

Rapid7, the tool’s maintainer since 2021, acknowledged that tools like Velociraptor can be misused by adversaries when in the wrong hands. Christiaan Beek, Rapid7’s senior director of threat analytics, described this as, “a misuse pattern rather than a software flaw: adversaries simply repurpose legitimate collection and orchestration capabilities.”

Halcyon reported that Storm-2603 shows connections to Chinese nation-state actors based on early access to the ToolShell exploit and the professional quality of ransomware samples. The group’s use of multiple ransomware families aims to confuse attribution and evade defenses. Warlock, launched in June 2025, was designed to deploy several ransomware variants quickly, demonstrating sophisticated resources and structured workflows. This includes operational security measures like removing timestamps and compiling ransomware during specific hours aligned with China Standard Time.

Additional findings show Storm-2603 established infrastructure for the AK47 command-and-control framework in March 2025 and rapidly shifted from LockBit-only attacks to dual deployments involving LockBit and Warlock within 48 hours. After registering as a LockBit affiliate, the group continued developing its ransomware, deploying Babuk ransomware in July 2025 using the ToolShell zero-day exploit.

- Advertisement -

Halcyon highlighted the group’s quick adaptation and technical expertise, describing their tactics as, “operational flexibility, detection evasion capabilities, attribution confusion tactics, and sophisticated builder expertise using leaked and open-source ransomware frameworks.”

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Crypto’s $2T Crash Awaits BlackRock Shock & FOMO

Bitcoin has stabilized near $60,000 after a downturn erased $2 trillion from the crypto...

Cambridge: Ethereum Energy Intensity Low, Overall Use High

Ethereum consumes roughly 7.87 GWh annually, the second-lowest energy intensity per market value among...

Saylor and Back oppose BIP-110 fork over Bitcoin security fears

Michael Saylor and Adam Back have publicly opposed BIP-110, a temporary Bitcoin fork proposal...

China, India groups target Pakistani police in cyber espionage

Suspected China- and India-aligned threat actors targeted Pakistani law enforcement in a sustained cyber...

AMD Stock Dips 10% Amid AI Volatility Ahead of Q3 Earnings

AMD stock fell nearly 10% from $580 on June 30 to roughly $516 by...

Must Read

7 Best Crypto To Invest In This Year

Investing in cryptocurrencies has become a popular way for people to diversify their investment portfolio and make potential profits.However, with so many cryptocurrencies available...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading