CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Velociraptor DFIR Tool Abused in LockBit and Babuk Ransomware Campaigns

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks.

Timeline

  1. 11.10.2025 16:04 1 articles · 4d ago

    Storm-2603 Establishes AK47 C2 Framework and Demonstrates Operational Flexibility

    Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks. The group used operational security (OPSEC) measures, such as stripped timestamps and intentionally corrupted expiration mechanisms, and compiled ransomware payloads at 22:58-22:59 China Standard Time, packaging them into a malicious installer at 01:55 the next morning. Storm-2603 used consistent contact information and shared, misspelled domains across Warlock, LockBit, and Babuk deployments, demonstrating cohesive command-and-control (C2) operations.

    Show sources
    Open in new tab
  2. 09.10.2025 22:31 3 articles · 5d ago

    Storm-2603 Group Exploits Velociraptor Vulnerability in Ransomware Attacks

    Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. The group switched to using a new C2 domain on Cloudflare's workers.dev service after Sophos' August report. Velociraptor abuse was detected through behavioral detections in the Sophos Endpoint platform. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Chaos Ransomware Evolves with C++ and Rust-Based Variants

The Chaos ransomware operation has evolved significantly with the introduction of a new C++ variant and a Rust-based backdoor named ChaosBot. The C++ variant introduces aggressive tactics, including destructive file deletion and clipboard hijacking for cryptocurrency theft. ChaosBot, detected in late September 2025, uses Discord for command-and-control and employs sophisticated evasion techniques. The ransomware waits 15 seconds after execution to avoid sandbox detection and starts by enumerating user directories. It targets specific file sizes for encryption, skipping some to reduce detection and deleting very large files to cause irreversible data loss. The clipboard hijacking feature redirects Bitcoin payments to the attacker's wallet. The new variant of Chaos ransomware is designed to maximize financial gain through both destructive encryption and covert financial theft. It targets specific file sizes for encryption, skipping some to reduce detection and deleting very large files to cause irreversible data loss. The clipboard hijacking feature redirects Bitcoin payments to the attacker's wallet. The ransomware-as-a-service operation specializes in big-game hunting and double-extortion attacks. FortiGuard Labs has provided detailed technical analysis and indicators of compromise (IoCs) for the new variant.

Open in new tab

COLDRIVER APT Group Uses ClickFix Tactics to Deliver BAITSWITCH and SIMPLEFIX Malware

The COLDRIVER APT group has launched a new campaign using ClickFix tactics to deliver two new malware families, BAITSWITCH and SIMPLEFIX. The campaign targets individuals and organizations connected to Russia, including NGOs, human rights defenders, and think tanks. BAITSWITCH acts as a downloader for SIMPLEFIX, a PowerShell backdoor. The attack chain involves tricking victims into running a malicious DLL via a fake CAPTCHA check, leading to the deployment of the SIMPLEFIX backdoor. The malware exfiltrates specific file types and establishes communication with a command-and-control server. The campaign aligns with COLDRIVER's known victimology, focusing on civil society members connected to Russia. The group has been active since 2019, using spear-phishing and custom tools like SPICA and LOSTKEYS. The latest campaign demonstrates the group's continued use of effective infection vectors, despite their lack of technical sophistication.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat. Nearly 50,000 Cisco ASA and FTD appliances are vulnerable to actively exploited flaws. The vulnerabilities CVE-2025-20333 and CVE-2025-20362 enable arbitrary code execution and access to restricted URL endpoints. The Shadowserver Foundation discovered over 48,800 internet-exposed ASA and FTD instances still vulnerable to the flaws. The majority of vulnerable devices are located in the United States, followed by the United Kingdom, Japan, Germany, Russia, Canada, and Denmark. The Shadowserver Foundation's data is as of September 29, indicating a lack of response to the ongoing exploitation activity. Greynoise had warned on September 4 about suspicious scans targeting Cisco ASA devices, indicating upcoming undocumented flaws. CISA's emergency directive gave 24 hours to FCEB agencies to identify and upgrade vulnerable Cisco ASA and FTD instances. CISA advised that ASA devices reaching their end of support should be disconnected from federal networks by the end of September. The U.K. NCSC reported that the hackers deployed Line Viper shellcode loader malware and RayInitiator GRUB bootkit.

Open in new tab

Lazarus Group Deploys Multiple RATs in DeFi Sector Campaign

The Lazarus Group, a North Korea-linked threat actor, executed a social engineering campaign targeting a decentralized finance (DeFi) organization. The attack, observed in 2024, involved deploying three different cross-platform malware variants: PondRAT, ThemeForestRAT, and RemotePE. The campaign began with impersonation on Telegram and fake scheduling websites, leading to the compromise of an employee's system. The attackers used various tools for discovery, credential harvesting, and proxy connections, eventually transitioning to stealthier RATs. The attack chain started with the deployment of a loader called PerfhLoader, which dropped PondRAT. This malware, a stripped-down variant of POOLRAT, was used in combination with ThemeForestRAT for approximately three months before switching to the more sophisticated RemotePE. The impact of the attack includes the compromise of employee systems and potential data exfiltration. The use of multiple RATs indicates a sophisticated and multi-stage attack strategy aimed at high-value targets.

Open in new tab

Warlock Ransomware Exploits Vulnerable SharePoint Servers

Warlock ransomware, potentially linked to Black Basta, targets unpatched on-premises Microsoft SharePoint servers. The ransomware leverages multiple vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771) to gain initial access, escalate privileges, and deploy ransomware. The campaign includes extensive reconnaissance and evasion techniques, targeting security software to avoid detection. The threat actor Storm-2603, associated with China-backed groups, has been observed using Warlock ransomware in these attacks. The ransomware gang recently auctioned files stolen from Colt Technology Services, confirming customer data was compromised. Organizations are urged to apply available patches and implement comprehensive security measures to mitigate the risk.

Open in new tab