Essential Insights
- Threat actors are using the Velociraptor DFIR tool, exploited via an outdated version with a security flaw (CVE-2025-6264), to maintain persistent access during LockBit and Babuk ransomware attacks, linked to a China-based group, Storm-2603.
- The attackers created local admin accounts, gained control of VMware vSphere VMs, and employed Velociraptor for ongoing access, even after host isolation, while disabling security defenses like Defender and GPOs.
- They deployed ransomware variants—LockBit on Windows (.xlockxlock extension) and Babuk on VMware Linux systems—and used a fileless PowerShell encryptor combined with exfiltration scripts for double extortion.
- Cisco Talos provides specific IoCs, including malicious files and Velociraptor artifacts, indicating a sophisticated, multi-stage campaign with persistent, stealthy tactics tied to a Chinese threat actor.
Underlying Problem
Cybersecurity researchers from Cisco Talos have revealed that cybercriminals, believed to be linked to a China-based group called Storm-2603, are increasingly using the Velociraptor digital forensics and incident response (DFIR) tool to launch sophisticated ransomware attacks. This malicious activity involves exploiting an outdated version of Velociraptor that contains a security flaw (CVE-2025-6264), allowing hackers to escalate privileges and gain complete control over targeted systems. The attackers, who are also associated with groups like Warlock ransomware and have ties to LockBit, initially compromised systems by creating privileged user accounts, then maintained persistent access through Velociraptor and remote command execution, even after attempts to isolate infected hosts. They used a combination of ransomware variants—LockBit, Babuk, and Warlock—to encrypt files and exfiltrate data for double-extortion, all while disabling security protections like Windows Defender and monitoring tools.
This attack was reported by Cisco Talos, a cybersecurity research team, which observed the intruders deploying the malware on both Windows and VMware ESXi virtual machines. The threat actors used a fileless PowerShell encryptor, making detection more difficult, and employed tactics such as scheduled tasks and remote execution commands to sustain their foothold. Their goal was to extract sensitive data and encrypt systems for profit, with the attack’s complexity and persistence demonstrating a deliberate attempt to evade traditional security defenses. The report details numerous indicators of compromise, including specific malicious files and operational behaviors, highlighting the evolving nature of cyber threats leveraging tools like Velociraptor for advanced cyber-espionage and ransomware campaigns.
Risk Summary
Cybercriminals have increasingly exploited the Velociraptor digital forensic tool—originally open-source and now enhanced by Rapid7—for sophisticated cyberattacks involving ransomware such as LockBit and Babuk. Researchers suggest a Chinese-linked group, Storm-2603, possibly affiliated with nation-state actors and similar to groups behind Warlock ransomware, is deploying these tactics to establish stealthy, persistent access to compromised systems. By leveraging outdated Velociraptor versions vulnerable to privilege escalation (CVE-2025-6264), attackers created backdoor admin accounts, gained control over virtual environments, and maintained footholds even after attempted isolate-and-clean measures. They actively disabled endpoint protections, performed remote code execution, and executed mass encryption via fileless PowerShell scripts—adding layers of obfuscation like delaying exfiltration activities to evade detection. The impact is profound: organizations face data loss, operational disruption, and double extortion threats, underscoring how weaponized open-source tools and nation-state tactics are revolutionizing cyber risks, demanding heightened vigilance against advanced persistent threats.
Possible Next Steps
Addressing the rapid evolution of cyber threats requires prompt and effective remediation strategies, especially as attackers increasingly leverage sophisticated digital forensic tools like Velociraptor in ransomware campaigns.
Identification Methods
Implement continuous monitoring to detect unusual activity related to Velociraptor signatures or commands, and utilize threat intelligence feeds to stay updated on the latest attack vectors.
Containment Tactics
Isolate compromised systems immediately upon detection to prevent lateral movement, and disable any unauthorized Velociraptor agents or related processes.
Eradication Procedures
Remove malicious Velociraptor artifacts, update endpoint security solutions to recognize APT signatures, and patch vulnerabilities exploited during the attack.
Restoration Actions
Restore systems from clean backups, verify data integrity, and ensure all patches and security updates are applied to prevent recurrence.
Preventive Measures
Implement strict access controls, enforce the principle of least privilege, conduct regular security awareness training, and establish robust incident response plans to quickly address future threats.
Advance Your Cyber Knowledge
Stay informed on the latest Threat Intelligence and Cyberattacks.
Understand foundational security frameworks via NIST CSF on Wikipedia.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
