October 9, 2025 By Bill Toulas
Threat actors have started to use the Velociraptor digital forensics and incident response (DFIR) tool in attacks that deploy LockBit and Babuk ransomware.
Cisco Talos researchers assess with medium confidence that the attacker behind the campaigns is a China-based adversary tracked as Storm-2603.
Velociraptor is an open-source DFIR tool created by Mike Cohen. The project has been acquired by Rapid7, which provides an enhanced version to its customers.
Cybersecurity company Sophos reported on August 26 that hackers were abusing Velociraptor for remote access. Specifically, the threat actors leveraged it to download and execute Visual Studio Code on compromised hosts, establishing a secure communication tunnel with the command and control (C2) infrastructure.
In a report earlier today, ransomware protection company Halcyon assesses that Storm-2603 is connected with Chinese nation-state actors, is the same group as Warlock ransomware and CL-CRI-1040, and acted as a LockBit affiliate.
