Velociraptor Tool Exploited in Ransomware Campaigns

Threat Overview

We have identified a new threat report published by AlienVault on October 9, 2025. The report highlights the exploitation of Velociraptor, an open-source digital forensics tool, in ransomware attacks. This activity is attributed to Storm-2603, a China-based threat actor group. The attackers have deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi VMs and Windows servers.

Velociraptor is typically used by security teams for endpoint monitoring across various operating systems including Windows, Linux, and Mac. It collects data continuously and responds to security events. However, in this campaign, the threat actors installed an outdated version of Velociraptor (version 0.73.4.0) that is vulnerable to privilege escalation (CVE-2025-6264). This vulnerability allows for arbitrary command execution and endpoint takeover.

Campaign Details

The first indications of suspicious activity linked to this campaign were observed in mid-August 2025. The threat actors attempted to escalate privileges and move laterally within the compromised environment. They created admin accounts that synced with Entra ID (formerly Azure Active Directory) via the domain controller. These admin accounts also accessed the VMware vSphere console, which could provide persistent access to the virtual environment.

The attackers installed an older version of Velociraptor on multiple servers to maintain persistence. This tool was observed launching several times even after the host was isolated. The threat actors used Velociraptor to download and execute Visual Studio Code, likely to create a tunnel to an attacker-controlled command-and-control (C2) server.

Tactics, Techniques, and Procedures (TTPs)

The campaign involved several key tactics:

  • Privilege Escalation: The attackers exploited a vulnerability in Velociraptor to escalate privileges.
  • Lateral Movement: They created admin accounts and accessed VMware vSphere for persistent access.
  • Defense Impairment: Modified Active Directory Group Policy Objects (GPOs) to weaken defenses.
  • Fileless PowerShell Script: Deployed a fileless encryption script using PowerShell.
  • Data Exfiltration: Exfiltrated sensitive data from the compromised environment.
  • Remote Execution: Used Smbexec for remote program execution.

Mitigation Recommendations

The following recommendations are provided to mitigate the risks associated with this campaign:

  • Patch Management: Ensure all software, including Velociraptor and ToolShell, is up-to-date with the latest security patches.
  • Ransomware Safeguards: Implement robust ransomware protection measures, such as regular backups and network segmentation.
  • Monitoring and Detection: Continuously monitor for suspicious activities and anomalies within the network.
  • Access Control: Enforce strict access controls and regularly review admin accounts and permissions.
  • Endpoint Security: Deploy advanced endpoint protection solutions to detect and respond to threats in real-time.

Conclusion

The exploitation of Velociraptor by the Storm-2603 threat actor group underscores the evolving tactics used by cybercriminals. By leveraging open-source tools, attackers can maintain stealthy persistent access and deploy sophisticated ransomware attacks. Organizations must remain vigilant and implement comprehensive security measures to protect against such threats.

References

AlienVault OTX Pulse

Talos Intelligence Blog

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading