Ransomware Hackers Weaponize Velociraptor DFIR Tool
▼ Summary
– Threat actors are using the Velociraptor DFIR tool in attacks deploying LockBit and Babuk ransomware, with researchers attributing the campaign to China-based Storm-2603.
– The attackers exploited an outdated version of Velociraptor vulnerable to CVE-2025-6264, allowing privilege escalation and arbitrary command execution for host takeover.
– Persistence was maintained by creating local admin accounts synced to Entra ID, accessing VMware vSphere, and repeatedly launching Velociraptor even after host isolation.
– Attackers disabled Defender protection via Active Directory GPOs and used fileless PowerShell encryptors with random AES keys for mass encryption on Windows systems.
– Data exfiltration occurred before encryption for double-extortion, using delays to evade detection, and IoCs include uploaded files and Velociraptor artifacts.
Cybersecurity professionals are facing a new and troubling development as malicious actors have begun co-opting the Velociraptor digital forensics and incident response (DFIR) tool to distribute LockBit and Babuk ransomware. Analysts from Cisco Talos indicate with moderate certainty that a threat group known as Storm-2603, believed to operate from China, is responsible for these campaigns. Velociraptor, originally developed by Mike Cohen, is an open-source platform now owned by Rapid7, which offers a commercial edition to its client base.
Earlier findings from Sophos revealed that hackers were already misusing Velociraptor to gain remote access. The attackers specifically used it to fetch and run Visual Studio Code on infected systems, creating a secure link to their command and control servers. Another report from Halcyon, a ransomware protection firm, connects Storm-2603 to Chinese state-sponsored operations, identifying the group as both Warlock ransomware affiliates and associates of the LockBit syndicate.
Maintaining persistent access was a key objective for the intruders. Cisco Talos discovered they deployed an older Velociraptor release, version 0.73.4.0, which contained a privilege escalation flaw designated CVE-2025-6264. This vulnerability could permit arbitrary command execution and full system control. During initial compromise, the threat actor established local administrator accounts synchronized with Entra ID, then used them to log into the VMware vSphere console, securing long-term management of virtual machines.
Even after isolating an infected host, Velociraptor continued to run repeatedly, helping the attackers preserve their foothold. Investigators also noted the use of Impacket smbexec-style commands for remote program execution, along with scheduled tasks set up to run batch scripts. To evade security tools, the hackers altered Active Directory Group Policy Objects to shut down Defender real-time protection and disabled monitoring of behavior and file activity.
On Windows systems, endpoint detection and response platforms classified the ransomware as LockBit, though encrypted files carried the “.xlockxlock” extension, previously associated with Warlock ransomware. For VMware ESXi environments, a Linux binary identified as Babuk ransomware was discovered. Additionally, a fileless PowerShell encryptor was employed, generating random AES keys each time it executed. This tool is thought to be the primary mechanism for large-scale encryption across Windows machines.
Before launching encryption, the attackers ran another PowerShell script to steal files, supporting a double-extortion strategy. The script incorporated ‘Start-Sleep’ commands to introduce pauses between uploads, helping it avoid detection in sandbox and analysis setups. Cisco Talos has released two collections of indicators of compromise associated with these incidents, covering files uploaded by the threat actor and Velociraptor-related components.
(Source: Bleeping Computer)
