10.10.2025
2 min
552
The cybercriminal group Storm-2603 (Gold Salem) has transformed the legitimate Velociraptor tool — originally designed for Digital Forensics and Incident Response (DFIR) — into a weapon for digital crime. They used it during LockBit and Babuk ransomware operations, exploiting its defensive capabilities to gain full control over corporate networks.
According to Sophos and Cisco Talos, the attackers exploited SharePoint ToolShell vulnerabilities to gain initial access and deploy an outdated version of Velociraptor (0.73.4.0) containing the privilege escalation flaw CVE-2025-6264, which allowed remote command execution and full endpoint compromise.
Once inside, the threat actors created domain administrator accounts, moved laterally through the network using Smbexec, disabled antivirus protections, and manipulated Group Policy and Active Directory settings — paving the way for ransomware deployment.
This incident marked the first confirmed case of Storm-2603 deploying Babuk ransomware alongside LockBit and Warlock.
Rapid7, which owns Velociraptor, emphasized that *the issue lies not in the tool itself but in its abuse by malicious actors*. According to Christiaan Beek, Rapid7’s senior threat analytics director, “Attackers are turning legitimate defense tools into weapons, using them as automation platforms for large-scale attacks.”
Storm-2603 first appeared in June 2025, leveraging LockBit 3.0 as the foundation for its own custom ransomware. Within weeks, the group integrated Babuk and Warlock to complicate attribution. Researchers at Halcyon believe the group exhibits a high level of organization, with new versions of its ransomware families appearing every 48 hours — an indicator of a structured and well-resourced operation.
Analysts also highlight possible Chinese state connections, noting precise compile timestamps aligned with China Standard Time, shared command-and-control domains (C2), and similar build characteristics across LockBit, Warlock, and Babuk.
The Velociraptor incident underscores that even defensive DFIR tools can be weaponized. Storm-2603 reflects a growing trend: hackers no longer need to create new tools — they modify legitimate security software to bypass detection. This development challenges cybersecurity teams to rethink defense strategies: it’s no longer enough to scan for malicious code — it’s equally vital to audit trusted tools and verify integrity within the security stack itself.
