Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Storm-2603 Velociraptor-abuse ransomware campaign

Campaign
First reported
Last updated
Happening score
H score 49
2 unique sources, 2 articles

Summary

Hide ▲

The Storm-2603 campaign abuses Velociraptor as an intrusion enabler during ransomware attacks, using an outdated Velociraptor 0.73.4.0 instance vulnerable to CVE-2025-6264 after initial access through ToolShell against on-premises SharePoint. The operators used the tool for privilege escalation, endpoint takeover, and persistence, while also creating admin access, moving laterally, and disabling defenses across Windows and VMware ESXi environments. The activity has involved LockBit, Warlock, and Babuk ransomware, with pre-encryption file theft supporting double extortion.

Related Happenings

Windows 11 BitLocker bypass YellowKey security flaw

Vulnerability
First: 14.05.2026 10:27 Last: 14.05.2026 10:27 Sources 1

About this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...

Latest development: 20.05.2026 10:31

Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.

Open Happening

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Open Happening

Vect ransomware flawed ChaCha20 implementation destroys large files

Technical Analysis
First: 29.04.2026 13:45 Last: 29.04.2026 13:45 Sources 1

About this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...

Open Happening

VECT 2.0 ransomware-branded file destruction malware

Malware Activity
First: 28.04.2026 17:01 Last: 28.04.2026 17:01 Sources 1

About this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...

Open Happening

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

About this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...

Open Happening

Timeline

  1. 09.10.2025 22:31 3 articles · 7mo ago

    Storm-2603 Velociraptor abuse linked to LockBit and Babuk ransomware

    Technical Analysis Update

    Cisco Talos linked the China-based adversary tracked as Storm-2603 to ransomware activity in affected Windows and VMware ESXi environments, where operators installed Velociraptor 0.73.4.0, abused CVE-2025-6264 for privilege escalation and endpoint takeover, created local admin accounts synced to Entra ID for VMware vSphere console access, used Impacket smbexec-style commands and scheduled tasks for remote execution, disabled Defender real-time protection through Active Directory GPOs, and deployed LockBit on Windows and Babuk on VMware ESXi while staging PowerShell-based file exfiltration and encryption for double extortion.

    Show sources
    Open in new tab