CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Velociraptor DFIR Tool Abused in LockBit and Babuk Ransomware Campaigns

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems.

Timeline

  1. 09.10.2025 22:31 1 articles · 13h ago

    Storm-2603 Group Exploits Velociraptor Vulnerability in Ransomware Attacks

    Threat actors, assessed to be the China-based Storm-2603 group, have started using the Velociraptor DFIR tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited CVE-2025-6264 in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption.

    Show sources
    Open in new tab

Information Snippets

  • Velociraptor, an open-source DFIR tool, was used by threat actors to gain persistent access and control over virtual machines.

    First reported: 09.10.2025 22:31
    1 source, 1 article
    Show sources

  • The attackers exploited CVE-2025-6264, a privilege escalation vulnerability in Velociraptor version 0.73.4.0, to execute arbitrary commands and take control of the host.

    First reported: 09.10.2025 22:31
    1 source, 1 article
    Show sources

  • The threat actors created local admin accounts synced to Entra ID and accessed the VMware vSphere console for persistent control.

    First reported: 09.10.2025 22:31
    1 source, 1 article
    Show sources

  • The attackers disabled Defender real-time protection and monitoring features by modifying Active Directory GPOs.

    First reported: 09.10.2025 22:31
    1 source, 1 article
    Show sources

  • The ransomware deployed on Windows systems was identified as LockBit, using the file extension '.xlockxlock' seen in Warlock ransomware attacks.

    First reported: 09.10.2025 22:31
    1 source, 1 article
    Show sources

  • A Linux binary detected as Babuk ransomware was found on VMware ESXi systems.

    First reported: 09.10.2025 22:31
    1 source, 1 article
    Show sources

  • The attackers used a fileless PowerShell encryptor to generate random AES keys for mass encryption on Windows machines.

    First reported: 09.10.2025 22:31
    1 source, 1 article
    Show sources

  • Before encrypting data, the attackers used a PowerShell script to exfiltrate files for double-extortion purposes, inserting delays to evade detection.

    First reported: 09.10.2025 22:31
    1 source, 1 article
    Show sources