More
- Awards
- Blogs
- BrandPosts
- Events
- Podcasts
- Videos
- Enterprise Buyer’s Guides
news
TigerJack’s malicious VSCode extensions mine, steal, and stay hidden
Oct 15, 2025 4 mins
news
SonicWall VPNs face a breach of their own after the September cloud-backup fallout
Oct 14, 2025 3 mins
news
Aisuru’s 30 Tbps botnet traffic crashes through major US ISPs
Oct 13, 2025 4 mins
news
ClayRat spyware turns phones into distribution hubs via SMS and Telegram
Oct 9, 2025 4 mins
news
Open-source monitor turns into an off-the-shelf attack beacon
Oct 8, 2025 4 mins
news
Phishers turn 1Password’s Watchtower into a blind spot
Oct 7, 2025 3 mins
news
Gemini Trifecta: AI autonomy without guardrails opens new attack surface
Oct 6, 2025 4 mins
news
Databricks enters the cybersecurity arena with an AI-driven platform
Sep 30, 2025 3 mins
China-based threat actors abused outdated Velociraptor to maintain persistence and help deploy Warlock, LockBit, and Babuk ransomware.
Credit: A9 STUDIO – shutterstock.com
Velociraptor, the open-source DFIR tool meant to hunt intruders, has itself gone rogue – being picked up by threat actors in coordinated ransomware operations. Never tied to extortion attacks before, the tool has been found to be abused by a China-based group, Storm-2603, previously known for exploiting Microsoft SharePoint vulnerabilities.
Cisco Talos researchers first spotted the activity in August 2025 while responding to an unnamed multi-vector ransomware incident.
“Talos responded to a ransomware attack by actors who appeared to be affiliated with Warlock ransomware, based on their ransom note and use of Warlock’s data leak site (DLS),” said Talos researchers in a blog post. “They deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines (VMs) and Windows servers. This severely impacted the customer’s IT environment.”
Talos attributed the activity to the group with moderate confidence, citing “overlapping tools and tactics, techniques and procedures (TTPs)”.
When a good tool goes rogue
Velociraptor is typically leveraged by defenders who deploy its agents across Windows, Linux, and macOS systems to continuously collect telemetry and respond to security events. But in this campaign, the attackers used an old, vulnerable version (0.73.4.0) that exposed them to a privilege escalation flaw (CVE-2025-6264), enabling command execution and full endpoint takeover.
The hijacked Velociraptor agents were also, in cases observed by Sophos’ CTU, manipulated to download and execute Visual Studio code, likely to create a tunnel to a command-and-control (C2) server. Talos noted that Velociraptor continued to launch even after an infected host was isolated, highlighting the tool’s role in maintaining persistence within compromised systems.
“Velociraptor played a significant role in this campaign, ensuring the actors maintained stealthy persistent access while deploying LockBit and Babuk ransomware,” Talos researchers added. “The addition of this tool in the ransomware playbook is in line with findings from Talos’ ‘2024 Year in Review,’ which highlights that threat actors are utilizing an increasing variety of commercial and open-source products.”
Attribution and the ransomware cocktail
Talos links the campaign to Storm-2603, a suspected China-based threat actor, citing matching TTPs like the use of ‘cmd.exe’, disabling Defender protections, creating scheduled tasks, and manipulating Group Policy Objects. The use of multiple ransomware strains in a single operation – Warlock, LockBit, and Babuk – also bolstered confidence in this attribution.
“Talos observed ransomware executables on Windows machines that were identified by EDR solutions as LockBit, and encrypted files with the Warlock extension ‘xlockxlock’,” the researchers added. “There was also a Linux binary on ESXi servers flagged as the Babuk encryptor, which achieved only partial encryption and appended files with ‘.babyk’.”
Talos researchers added that the presence of Babuk ransomware in this breach is new. Strom-2603 has not publicly been tied to Babuk before this, while their deployment of Warlock and Lockbit in the same attack was previously reported. A double-extortion strategy was also evident from attackers exfiltrating sensitive data using a stealthy PowerShell script, which suppressed progress reporting and included delays to evade sandbox detection.
Talos urged defenders to verify the integrity and version of all Velociraptor deployments, ensuring they’re updated to version 0.73.5 or later, which patches the privilege-escalation flaw CVE-2025-6264. The disclosure follows another case this week of legitimate, open-source software being turned malicious–the earlier involving China-linked hackers weaponizing the Nezha RMM tool to deploy GhostRAT.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Shweta has been writing about enterprise technology since 2017, most recently reporting on cybersecurity for CSO online. She breaks down complex topics from ransomware to zero trust architecture for both experts and everyday readers. She has a postgraduate diploma in journalism from the Asian College of Journalism, and enjoys reading fiction, watching movies, and experimenting with new recipes when she’s not busy decoding cyber threats.
More from this author
`,
cio: `
🚀 The new CIO.com hybrid search: 🔍 Explore CIO content smarter, faster and AI powered. ✨
`,
nww: `
🚀 The new NetworkWorld.com hybrid search: 🔍 Explore NetworkWorld content smarter, faster and AI powered. ✨
`,
cw: `
🚀 The new Computerworld.com hybrid search: 🔍 Explore Computerworld content smarter, faster and AI powered. ✨
`,
cso: `
🚀 The new CSOonline.com hybrid search: 🔍 Explore CSO content smarter, faster and AI powered. ✨
`
};
const sharedStyles = `
`;
const publisher = foundry_get_publisher();
const htmlContent = contentSwitch[publisher];
if (!htmlContent || !document.body) return;
document.body.insertAdjacentHTML(“afterbegin”, htmlContent + sharedStyles);
const bar = document.querySelector(“.section-block–announcementbar”);
if (bar) {
requestAnimationFrame(() => {
bar.classList.add(“section-block–announcementbar–visible”);
});
}
const btn = document.querySelector(“.section-block–announcementbar .reset-button”);
const searchIcon = document.querySelector(‘.header__icon-button[data-menu-trigger=”search”] svg’);
const searchTrigger = document.querySelector(‘[data-menu-trigger=”search”]’);
if (searchIcon) {
searchIcon.innerHTML = ‘
‘;
}
if (btn && searchTrigger) {
btn.addEventListener(“click”, () => searchTrigger.click());
}
console.log(“[MISO SCRIPT] Conditions met, initializing Miso search announcements.”);
};
initMisoSearchAnnouncements();
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentYouTube = consentManager.checkConsentByVendors([
‘YouTube’,
‘YT’
]);
if (hasConsentYouTube.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[YOUTUBE SCRIPT] Consent not given for YouTube.’);
} else {
console.log(‘[YOUTUBE SCRIPT] Consent given for YouTube. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentGAM = consentManager.checkConsentByVendors([
‘Google Ad Manager’,
‘GAM’
]);
if (hasConsentGAM.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[GAM SCRIPT] Consent not given for GAM.’);
} else {
console.log(‘[GAM SCRIPT] Consent given for GAM. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentGoogleFonts = consentManager.checkConsentByVendors([
‘Google Fonts’,
‘Google Web Fonts’
]);
if (hasConsentGoogleFonts.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[GOOGLE FONTS SCRIPT] Consent not given for Google Fonts.’);
} else {
console.log(‘[GOOGLE FONTS SCRIPT] Consent given for Google Fonts. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentAdobeTypekit = consentManager.checkConsentByVendors([
‘Adobe Typekit’
]);
if (hasConsentAdobeTypekit.every(vendor => vendor[‘Has Consent’] === true)) {
if (foundry_is_edition(‘kr’)) {
const link = document.createElement(‘link’);
link.rel = ‘stylesheet’;
link.href = ‘https://use.typekit.net/ihi5tse.css’;
document.head.appendChild(link);
}
}
});
document.addEventListener(‘consentManagerReady’, () => {
const vendors = [‘Subscribers’];
const hasConsentSubscribers = consentManager.checkConsentByVendors(vendors);
if (hasConsentSubscribers.some(vendor => vendor[‘Has Consent’] === false)) {
return;
} else {
if (foundry_is_language(‘en’)) {
console.log(‘Language is English’);
// subscribers english ..
}
if (foundry_is_edition(‘kr’)) {
console.log(‘Edition is Korean’);
// subscribers in korean ..
}
if (foundry_is_edition(‘ja’)) {
console.log(‘Edition is Japanese’);
// subscribers in japanese ..
}
}
});
