Redazione RHC : 11 October 2025 08:49
Hackers have begun using Velociraptor , the digital forensics and incident response (DFIR) tool, to launch LockBit and Babuk ransomware attacks. Cisco Talos researchers attribute these campaigns to the Storm-2603 group, which operates in China.
According to analysts, the attackers used an outdated version of Velociraptor with a privilege escalation vulnerability ( CVE-2025-6264, CVSS score 5.5) to gain complete control over the infected systems.
Velociraptor was created by Mike Cohen as an open-source DFIR tool and later acquired by Rapid7, which is developing a commercial version. In late August, Sophos researchers reported that attackers were already using this software for remote access. They used it to download and run Visual Studio Code on infected hosts, creating a secure communication tunnel with C2 servers.
According to Cisco Talos, the attack began by creating local administrator accounts synchronized with the Login ID . Using these accounts, the attackers logged in to the VMware vSphere console and established a presence in the virtual infrastructure.
They then installed an older version of Velociraptor, 0.73.4.0, which contained the CVE-2025-6264 vulnerability, allowing them to execute arbitrary commands and take control of the system . The tool was reused even after the host was isolated, ensuring a persistent presence on the network.
The attackers also used Impacket -style smbexec commands to remotely launch programs and create scheduled tasks with batch scripts. To weaken security, they disabled Microsoft Defender protection modules, including file and process activity monitoring, via Active Directory Group Policy.
Threat detection tools detected LockBit ransomware running on Windows computers, but the encrypted files had the “. xlockxlock ” extension, which has also been seen in Warlock attacks.
On VMware ESXi servers, researchers found a Linux binary identified as Babuk . A fileless PowerShell ransomware was used for mass data encryption, generating new AES keys with each execution. Previously, another PowerShell script downloaded documents for a double extortion, adding delays between operations to evade sandboxes and analysis systems.
Halcyon noted in its research that Storm-2603 is likely linked to Chinese government agencies and was previously known as Warlock and CL-CRI-1040. The group acted as a partner with LockBit, combining its tools with those of established cybercrime ecosystems.
Cisco Talos presented a series of indicators of compromise, including files downloaded by the attackers and traces of Velociraptor activity detected on infected systems.
Redazione