Velociraptor, the open-source DFIR tool meant to hunt intruders, has itself gone rogue – being picked up by threat actors in coordinated ransomware operations. Never tied to extortion attacks before, the tool has been found to be abused by a China-based group, Storm-2603, previously known for exploiting Microsoft SharePoint vulnerabilities.
Cisco Talos researchers first spotted the activity in August 2025 while responding to an unnamed multi-vector ransomware incident.
“Talos responded to a ransomware attack by actors who appeared to be affiliated with Warlock ransomware, based on their ransom note and use of Warlock’s data leak site (DLS),” said Talos researchers in a blog post. “They deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines (VMs) and Windows servers. This severely impacted the customer’s IT environment.”
Talos attributed the activity to the group with moderate confidence, citing “overlapping tools and tactics, techniques and procedures (TTPs)”.
When a good tool goes rogue
Velociraptor is typically leveraged by defenders who deploy its agents across Windows, Linux, and macOS systems to continuously collect telemetry and respond to security events. But in this campaign, the attackers used an old, vulnerable version (0.73.4.0) that exposed them to a privilege escalation flaw (CVE-2025-6264), enabling command execution and full endpoint takeover.
The hijacked Velociraptor agents were also, in cases observed by Sophos’ CTU, manipulated to download and execute Visual Studio code, likely to create a tunnel to a command-and-control (C2) server. Talos noted that Velociraptor continued to launch even after an infected host was isolated, highlighting the tool’s role in maintaining persistence within compromised systems.
“Velociraptor played a significant role in this campaign, ensuring the actors maintained stealthy persistent access while deploying LockBit and Babuk ransomware,” Talos researchers added. “The addition of this tool in the ransomware playbook is in line with findings from Talos’ ‘2024 Year in Review,’ which highlights that threat actors are utilizing an increasing variety of commercial and open-source products.”
Attribution and the ransomware cocktail
Talos links the campaign to Storm-2603, a suspected China-based threat actor, citing matching TTPs like the use of ‘cmd.exe’, disabling Defender protections, creating scheduled tasks, and manipulating Group Policy Objects. The use of multiple ransomware strains in a single operation – Warlock, LockBit, and Babuk – also bolstered confidence in this attribution.
“Talos observed ransomware executables on Windows machines that were identified by EDR solutions as LockBit, and encrypted files with the Warlock extension ‘xlockxlock’,” the researchers added. “There was also a Linux binary on ESXi servers flagged as the Babuk encryptor, which achieved only partial encryption and appended files with ‘.babyk’.”
Talos researchers added that the presence of Babuk ransomware in this breach is new. Strom-2603 has not publicly been tied to Babuk before this, while their deployment of Warlock and Lockbit in the same attack was previously reported. A double-extortion strategy was also evident from attackers exfiltrating sensitive data using a stealthy PowerShell script, which suppressed progress reporting and included delays to evade sandbox detection.
Talos urged defenders to verify the integrity and version of all Velociraptor deployments, ensuring they’re updated to version 0.73.5 or later, which patches the privilege-escalation flaw CVE-2025-6264. The disclosure follows another case this week of legitimate, open-source software being turned malicious–the earlier involving China-linked hackers weaponizing the Nezha RMM tool to deploy GhostRAT.
No Responses