Threat actors have begun using VelociRaptor digital forensics and incident response (DFIR) tools in attacks deploying Lockbit and Babuk ransomware.
Cisco Talos researchers assess with moderate confidence that the attacker behind the campaigns is a China-based adversary tracked as Storm-2603.
Velociraptor is a Open-source DFIR tool Created by Mike Cohen. The project has been acquired by Rapid7, which offers an enhanced version to its customers.
Cybersecurity company Sophos reported on August 26 that hackers were Abusing VelociRaptor for remote accessSpecifically, threat actors took advantage of this to download and execute Visual Studio Code on the compromised host, establishing a secure communications tunnel with the command and control (C2) infrastructure.
In a report earlier today, the ransomware security company Halcyon is estimated That Storm-2603 is linked to Chinese nation-state actors, is the same group as Warlock ransomware and CL-CRI-1040, and operates as a Lockbit affiliate.
stealth persistent access
Cisco Talos says the adversary used an older version of VelociRaptor that was vulnerable to a privilege escalation security issue identified as CVE-2025-6264, which could allow arbitrary command execution and take control of the host.
In the first phase of the attack, the threat actor created local administrator accounts that were synced to the Entra ID and used them to access the VMware vSphere console, giving them persistent control over the virtual machines (VMs).
“After gaining initial access, the actors installed an older version of VelociRaptor (version 0.73.4.0) that was exposed to a privilege escalation vulnerability (CVE-2025-6264), which could lead to arbitrary command execution and endpoint takeover.” Cisco Talos explains,
The researchers noted that Velociraptor helped the attackers maintain persistence by launching at it multiple times, even after the host was isolated.
He also observed the execution of impersonated smbexec-style commands to run programs remotely and the creation of scheduled tasks for batch scripts.
The attackers disabled Defender’s real-time protection by modifying Active Directory GPOs and turned off behavior and file/program activity monitoring.
Endpoint detection and response (EDR) solutions identified the ransomware deployed on Windows target systems as Lockbit, but the extension for encrypted files was “.xlockxlock”, which was seen in Warlock ransomware attacks.
On VMware ESXi systems, researchers found a Linux binary that was identified as Babuk ransomware.
Cisco Talos researchers also observed the use of a fileless PowerShell encryptor that generates random AES keys per run, which is considered the main tool for “large-scale encryption on Windows machines”.
Before encrypting the data, the attacker used another PowerShell script to exfiltrate the files for double-extortion purposes. The script uses ‘start-sleep’ to insert a delay between uploading actions to avoid the sandbox and analysis environment.
Cisco Talos researchers offer two sets indicators of agreement (IoCs) were observed in the attacks, which included threat actor files uploaded to compromised machines and VelociRaptor files.
attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.
Don’t miss the event that will shape the future of your security strategy
