Velociraptor DFIR abuse for ransomware persistence
Malware Activity
Summary
Hide ▲
Show ▼
The Velociraptor DFIR tool is being abused in ransomware attacks tied to Storm-2603 (aka CL-CRI-1040/Gold Salem), with ToolShell used for initial access to on-premises SharePoint and an outdated Velociraptor 0.73.4.0 installation exposed to CVE-2025-6264. That abuse enabled privilege escalation, arbitrary command execution, and endpoint takeover, helping the attackers stay active inside victim environments. The campaign has involved Warlock, LockBit, and Babuk ransomware, and it also included defense tampering, lateral movement, and data theft before encryption.
Related Happenings
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical Analysis
First: 29.04.2026 13:45
Last: 29.04.2026 13:45
Sources 1
About this happening:
**Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical AnalysisAbout this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
Timeline
-
09.10.2025 22:31 3 articles · 7mo ago
Velociraptor abuse supports LockBit and Babuk ransomware
Technical Analysis UpdateThreat actors used the Velociraptor DFIR tool to maintain persistence and remote access during ransomware intrusions, including an outdated 0.73.4.0 installation exposed to CVE-2025-6264 for privilege escalation, arbitrary command execution, and endpoint takeover. The activity included local admin accounts synced to Entra ID for VMware vSphere console access, Impacket smbexec-style remote execution, scheduled tasks, Defender real-time protection tampering through Active Directory GPOs, LockBit encryption on Windows systems, Babuk on VMware ESXi, a fileless PowerShell encryptor for mass encryption, and pre-encryption file exfiltration for double extortion.
Show sources
- Hackers now use Velociraptor DFIR tool in ransomware attacks — www.bleepingcomputer.com — 09.10.2025 22:31
- Hackers now use Velociraptor DFIR tool in ransomware attacks — www.bleepingcomputer.com — 09.10.2025 22:31
- Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks — thehackernews.com — 11.10.2025 16:04