Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks
Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks
11 October 2025
Threat actors are abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks likely orchestrated by Storm-2603 (aka CL-CRI-1040 or Gold Salem), which is known for deploying the Warlock and LockBit ransomware.
The threat actor's use of the security utility was documented by Sophos last month. It's assessed that the attackers