Outdated Velociraptor, a widely used open source DFIR tool, was exploited by China-linked Storm-2603 to maintain persistence and deploy multiple ransomware strains.
Velociraptor, an open source Digital Forensics and Incident Response (DFIR) tool designed to hunt intruders, has been exploited by threat actors to deploy ransomware. Cisco Talos researchers first detected the activity in August 2025 while investigating a multi-vector ransomware incident.
The campaign has been linked to Storm-2603, a suspected China-based group previously known for exploiting Microsoft SharePoint vulnerabilities. The attackers deployed Warlock, LockBit, and Babuk ransomware, encrypting VMware ESXi virtual machines and Windows servers, severely impacting IT environments.
“Talos responded to a ransomware attack by actors who appeared to be affiliated with Warlock ransomware, based on their ransom note and use of Warlock’s data leak site (DLS). They deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines (VMs) and Windows servers. This severely impacted the customer’s IT environment,” Talos researchers said.
The attackers abused an outdated Velociraptor version (0.73.4.0) that contained a privilege escalation flaw (CVE-2025-6264), allowing full endpoint takeover. Hijacked Velociraptor agents were also manipulated to download and execute Visual Studio code, creating persistent access to command-and-control servers even after infected hosts were isolated.
“Velociraptor played a significant role in this campaign, ensuring the actors maintained stealthy persistent access while deploying LockBit and Babuk ransomware. The addition of this tool in the ransomware playbook is in line with findings from Talos’ ‘2024 Year in Review,’ which highlights that threat actors are utilising an increasing variety of commercial and open-source products,” Talos added.
Talos urges organisations to verify all Velociraptor deployments and update to version 0.73.5 or later to patch the vulnerability, highlighting the broader risk of legitimate open-source tools being hijacked for cybercrime.
