Forensics Tool Velociraptor Used to Deploy LockBit and Babuk Ransomware

Cisco Talos researchers have warned that Velociraptor, a legitimate digital forensics and incident response (DFIR) tool, is being repurposed by LockBit and Babuk ransomware operators to deploy malware and maintain persistence in compromised networks.

Velociraptor is an open-source DFIR utility originally developed by security researcher Mike Cohen and later acquired by Rapid7, which provides an enhanced enterprise version for its customers.

Background: From Defense to Offense

The misuse of legitimate administrative and incident response tools — a technique known as living-off-the-land (LotL) — has become common in modern cyberattacks. However, the abuse of Velociraptor marks a new escalation: attackers are weaponizing software designed for incident response itself.

Earlier this summer, Sophos documented a case in which unknown threat actors used Velociraptor to download and run Visual Studio Code on compromised hosts, establishing secure tunnels to their command-and-control infrastructure. At the time, researchers noted this as an evolution in LotL tactics, leveraging legitimate DFIR tools for stealthy operations.

New Findings: Exploiting a Vulnerable Version

According to the new Cisco Talos report, ransomware operators have now begun exploiting an outdated version of Velociraptor — v0.73.4.0 — that contains a privilege escalation vulnerability (CVE-2025-6264) allowing arbitrary command execution and full system takeover.

“After gaining initial access, the attackers installed an outdated version of Velociraptor (0.73.4.0), which is vulnerable to a privilege escalation issue (CVE-2025-6264) that leads to arbitrary command execution and endpoint takeover,” Talos analysts wrote.

In the initial phase of the attack, the intruders created local administrator accounts synced with Entra ID and leveraged them to access the VMware vSphere console, maintaining persistent control over virtualized infrastructure.

Persistence and Disabling Defenses

Talos observed that the compromised version of Velociraptor relaunched automatically, even after host isolation — helping attackers sustain persistence. The adversaries also disabled Microsoft Defender’s real-time protection by editing Active Directory Group Policies (GPOs) and turned off behavior and program monitoring features.

While endpoint detection and response (EDR) systems flagged the encryption payload as LockBit ransomware, analysts noted that the encrypted files used the “.xlockxlock” extension — a signature trait of the Warlock ransomware, previously attributed to the Chinese group Storm-2603.

On VMware ESXi systems, Talos detected a Linux binary identified as Babuk ransomware, further expanding the attackers’ reach across platforms.

Fileless PowerShell and Ransomware Deployment

In addition, researchers found evidence of a fileless PowerShell-based ransomware that generated random AES encryption keys upon each execution, suggesting its role in mass-encrypting data across Windows environments.

Cisco Talos included two sets of indicators of compromise (IoCs) in its technical appendix one for files uploaded by the attackers and another for the Velociraptor artifacts used during the operation.

Attribution: Storm-2603 Suspected

Investigators suspect the campaign is linked to the Chinese threat actor Storm-2603, also tracked as CL-CRI-1040 and Gold Salem. According to Halcyon, the group operates as a state-aligned actor and has previously functioned as a LockBit affiliate, orchestrating Warlock ransomware attacks under multiple guises.

Broader Implications

The incident underscores a growing trend: legitimate security and forensic tools are being weaponized by adversaries to blend malicious activity with normal administrative behavior.
As defenders increasingly rely on tools like Velociraptor for investigation, the same utilities are becoming vectors for exploitation.

Security experts warn that defenders must now validate DFIR tools, monitor for unauthorized deployments, and ensure rapid patching of known vulnerabilities in these trusted applications.