Cisco Talos analysts warn that the Velociraptor tool, designed for digital forensics and incident response, is being used in LockBit and Babuk ransomware attacks.
Velociraptor is an open-source DFIR (Digital Forensics and Incident Response) tool, originally created by information security specialist Mike Cohen, and later acquired by Rapid7, which offers an enhanced version to its clients.
In the summer of this year, researchers from Sophos reported that they analyzed an attack in which unknown attackers used Velociraptor. In particular, the attackers used it to download and run Visual Studio Code on compromised hosts, establishing a secure tunnel to their command infrastructure.
At the time, experts noted that attackers often employ living-off-the-land (LotL) tactics and use legitimate remote monitoring and management tools in attacks; however, the use of Velociraptor signals an evolution of such tactics, where incident response software is used for malicious purposes.
As Cisco Talos analysts now report, attackers have found a new use for Velociraptor and are exploiting an outdated version of the tool that is vulnerable to a privilege-escalation bug (CVE-2025-6264), which allows arbitrary command execution and takeover of the host.
In the initial stage of the attack, the hackers create local admin accounts synchronized with Entra ID and use them to access the VMware vSphere console, gaining persistent control over the virtual machines.
“After obtaining initial access, the attackers installed an outdated version of Velociraptor (0.73.4.0) that is vulnerable to a privilege escalation issue (CVE-2025-6264), which leads to arbitrary command execution and takeover of the endpoint,” the researchers explain.
It is also noted that an old version of Velociraptor helped the attackers maintain persistence in the system — the tool was launched repeatedly, even after the host was isolated.
In their report, the researchers say the attackers disabled Defender’s real-time protection by modifying Active Directory Group Policy (GPO), and also turned off behavior monitoring and the monitoring of file and application activity.
Although EDR solutions identified the ransomware deployed on compromised Windows systems as LockBit, the extension of the encrypted files was changed to .xlockxlock, which is characteristic of Warlock ransomware attacks.
In turn, on VMware ESXi systems, the researchers discovered a Linux binary that was identified as the Babuk ransomware encryptor.
The researchers also observed the use of a fileless PowerShell encryptor that generates random AES keys each time it runs. It is believed this was the primary tool for “mass data encryption on Windows machines.”
Along with their report, the researchers provide two sets of indicators of compromise observed in the attacks, including files uploaded by the attackers to compromised machines, as well as Velociraptor files.
It is believed that a Chinese hacking group, Storm-2603 (aka CL-CRI-1040 and Gold Salem), is behind these attacks; analysts at Halcyon link the group to Chinese “government” hackers. According to their findings, the same group behind the Warlock ransomware previously operated as a LockBit affiliate.