Executive Summary
In early 2024, the Storm-2603 threat group, attributed to Chinese nation-state actors, conducted a series of ransomware campaigns leveraging the legitimate Velociraptor digital forensics and incident response (DFIR) tool. By abusing Velociraptor, the attackers achieved persistent access, lateral movement, and stealthy data collection within targeted corporate environments. The group exploited weaknesses in east-west traffic security and endpoint controls, using legitimate tooling to evade detection and deploy ransomware payloads, leading to operational disruption and potential data exfiltration for multiple organizations.
This incident highlights an escalation in adversaries’ use of legitimate IT and forensics tools for malicious purposes, complicating detection strategies. It exemplifies the growing threat of "living-off-the-land" tactics, where attackers blend in with standard operations, underscoring the need for improved anomaly detection, zero trust segmentation, and lateral movement controls.
Why This Matters Now
The Storm-2603 incident reveals an urgent trend of attackers co-opting trusted security tools for stealthy intrusions, making traditional detection methods far less effective. With ransomware and nation-state threats converging, organizations must adapt their security posture to address advanced, identity-driven, and tool abuse tactics, especially as regulatory scrutiny around prevention and resilience intensifies.
Attack Path Analysis
The Storm-2603 group initially compromised cloud infrastructure, likely via exposed services or stolen credentials, and established a foothold. They escalated privileges to gain broader access, then moved laterally using Velociraptor IR tool to pivot between workloads or cloud resources. Command and control was maintained over encrypted channels, allowing the attackers to orchestrate ransomware deployment and activity. Sensitive data was exfiltrated covertly, and finally, ransomware was triggered, causing operational disruption and potential data loss.
Kill Chain Progression
Initial Compromise
Description
Attackers gained entry into the network through exposed cloud services or compromised credentials, enabling initial access.
Related CVEs
CVE-2025-6264
CVSS 9.8A privilege escalation vulnerability in Velociraptor version 0.73.4.0 allows arbitrary command execution and full endpoint takeover.
Affected Products:
Velociraptor Velociraptor – 0.73.4.0
Exploit Status:
exploited in the wildCVE-2025-49704
CVSS 9.8A critical vulnerability in Microsoft SharePoint allows remote code execution, enabling attackers to deploy ransomware.
Affected Products:
Microsoft SharePoint – 2016, 2019
Exploit Status:
exploited in the wildReferences:
https://www.tomshardware.com/tech-industry/cyber-security/microsoft-says-china-based-hackers-exploiting-critical-sharepoint-vulnerabilities-to-deploy-warlock-ransomware-three-china-affiliated-threat-actors-seen-taking-advantagehttps://www.itpro.com/security/cyber-attacks/sharepoint-flaw-microsoft-says-hackers-deploying-ransomware
MITRE ATT&CK® Techniques
Valid Accounts
Process Injection
System Services: Service Execution
Signed Binary Proxy Execution
User Execution
Data Encrypted for Impact
Command and Scripting Interpreter
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Log and Monitor All Access to Cardholder Data and Critical Systems
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9(2)
CISA ZTMM 2.0 – Monitor and Manage Asset Usage
Control ID: ID.AM-5
NIS2 Directive – Incident Handling and Resilience Measures
Control ID: Article 21.2(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Storm-2603's abuse of Velociraptor DFIR tools for persistent ransomware access critically threatens financial institutions requiring NIST and PCI compliance for encrypted traffic protection.
Health Care / Life Sciences
Chinese hackers exploiting incident response tools poses severe risks to healthcare networks, compromising HIPAA-mandated east-west traffic security and patient data protection systems.
Government Administration
Government agencies face elevated ransomware threats as adversaries weaponize legitimate forensics tools, undermining zero trust segmentation and multicloud visibility controls for sensitive operations.
Information Technology/IT
IT sector organizations managing DFIR operations are prime targets for Storm-2603's Velociraptor exploitation, threatening threat detection capabilities and Kubernetes security implementations.
Sources
- Chinese Hackers Use Velociraptor IR Tool in Ransomware Attackshttps://www.darkreading.com/cybersecurity-operations/chinese-hackers-velociraptor-ir-tool-ransomware-attacksVerified
- Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attackshttps://thehackernews.com/2025/10/hackers-turn-velociraptor-dfir-tool.htmlVerified
- Velociraptor incident response tool abused for remote accesshttps://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/Verified
- Microsoft says China-based hackers exploiting critical SharePoint vulnerabilities to deploy Warlock ransomwarehttps://www.tomshardware.com/tech-industry/cyber-security/microsoft-says-china-based-hackers-exploiting-critical-sharepoint-vulnerabilities-to-deploy-warlock-ransomware-three-china-affiliated-threat-actors-seen-taking-advantageVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix CNSF and Zero Trust controls such as segmentation, encrypted traffic inspection, egress policy enforcement, and continuous threat detection would have dramatically constrained attacker movement, policy violations, and data loss throughout the kill chain.
Control: Multicloud Visibility & Control
Mitigation: Early detection of unauthorized access and exposed attack surfaces.
Control: Zero Trust Segmentation
Mitigation: Containment of privilege escalation inside strict segmentation boundaries.
Control: East-West Traffic Security
Mitigation: Detection and blocking of unauthorized east-west communication.
Control: Encrypted Traffic (HPE)
Mitigation: Visibility into encrypted C2 traffic for rapid detection.
Control: Egress Security & Policy Enforcement
Mitigation: Prevention or alerting of unauthorized data egress attempts.
Immediate detection and response to ransomware behaviors.
Impact at a Glance
Affected Business Functions
- IT Operations
- Data Management
- Customer Services
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive customer data and internal communications due to unauthorized access and data exfiltration.
Recommended Actions
Key Takeaways & Next Steps
- • Implement identity-based segmentation and zero trust boundaries to prevent lateral movement and privilege abuse.
- • Enforce east-west traffic inspection and anomaly detection to quickly surface suspicious insider or automated tool actions.
- • Utilize high-performance encrypted traffic visibility to monitor and control all outbound and inter-region flows.
- • Apply rigorous egress policy enforcement to block data exfiltration and command and control channels.
- • Continuously baseline workload behaviors and set up automated response for rapid detection of ransomware or destructive operations.
