The threat involves the malicious repurposing of Velociraptor, an open-source digital forensics and incident response tool, by the Storm-2603 threat actor group, which is known for deploying multiple ransomware families including Warlock, LockBit, and Babuk. Attackers exploit a zero-day SharePoint vulnerability known as ToolShell to gain initial access to target environments. They then deploy an outdated Velociraptor version (0.73.4.0) containing a privilege escalation vulnerability (CVE-2025-6264) that allows arbitrary command execution and full endpoint takeover. Using this foothold, the attackers create domain admin accounts, move laterally via SMB protocol tools like Smbexec, and manipulate Active Directory Group Policy Objects to disable real-time protection and evade detection. The campaign is notable for its use of multiple ransomware strains to confuse attribution and accelerate impact, reflecting a high degree of operational sophistication, rapid development cycles, and strong operational security measures such as timestamp stripping and corrupted expiration mechanisms. The group’s infrastructure and tooling suggest ties to Chinese nation-state actors, supported by their development timelines and operational patterns. This misuse of a legitimate DFIR tool complicates detection because Velociraptor is typically trusted within enterprise environments. The attack chain demonstrates a blend of zero-day exploitation, privilege escalation, lateral movement, and multi-ransomware deployment, posing a significant threat to organizations relying on vulnerable SharePoint servers and Velociraptor versions.

European organizations face substantial risks from this threat due to the potential for widespread ransomware infection, data exfiltration, and operational disruption. The exploitation of SharePoint vulnerabilities and Velociraptor privilege escalation can lead to full domain compromise, enabling attackers to disable security controls and persist undetected. Critical sectors such as government, finance, healthcare, and infrastructure are particularly vulnerable given their reliance on SharePoint and DFIR tools like Velociraptor. The use of multiple ransomware families complicates incident response and recovery, increasing downtime and financial losses. Additionally, the threat actor’s sophisticated operational security and rapid development cycles suggest ongoing and evolving risks. The potential attribution to Chinese state-aligned actors raises concerns about espionage and long-term strategic targeting of European entities. The misuse of legitimate security tools also undermines trust in incident response processes and may lead to increased false negatives in detection systems.

1. Immediately patch all on-premises SharePoint servers to remediate the ToolShell vulnerability and any other known security issues. 2. Upgrade Velociraptor installations to the latest version that addresses CVE-2025-6264 privilege escalation vulnerability; avoid using outdated versions like 0.73.4.0. 3. Implement strict application whitelisting and monitor for unauthorized execution of Velociraptor or similar DFIR tools, especially those deployed outside of controlled incident response scenarios. 4. Enhance Active Directory monitoring to detect unusual creation of domain admin accounts, modifications to Group Policy Objects, and other suspicious changes. 5. Monitor SMB traffic for anomalous remote execution activities, particularly tools like Smbexec. 6. Deploy endpoint detection and response (EDR) solutions capable of detecting privilege escalation and lateral movement behaviors. 7. Conduct regular threat hunting exercises focused on identifying indicators of compromise related to Storm-2603 tactics, techniques, and procedures (TTPs). 8. Enforce multi-factor authentication (MFA) for administrative accounts and limit privileges following the principle of least privilege. 9. Maintain robust backup and recovery procedures isolated from the network to mitigate ransomware impact. 10. Educate security teams on the risks of legitimate tool misuse and update incident response playbooks accordingly.