CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Velociraptor DFIR Tool Abused in LockBit and Babuk Ransomware Campaigns

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks. In a recent breach, SmarterTools confirmed that the Warlock ransomware gang breached its network on January 29, 2026, via a single SmarterMail virtual machine (VM) set up by an employee. The vulnerability exploited in the attack to gain access is CVE-2026-23760, an authentication bypass flaw in SmarterMail before Build 9518, which allows resetting administrator passwords and obtaining full privileges. The attackers moved laterally from that one vulnerable VM via Active Directory, using Windows-centric tooling and persistence methods. The ransomware operators waited roughly a week after gaining initial access, the final stage being encryption of all reachable machines. Sentinel One security products reportedly stopped the final payload from performing encryption, the impacted systems were isolated, and data was restored from fresh backups. Tools used in the attacks include Velociraptor, SimpleHelp, and vulnerable versions of WinRAR, while startup items and scheduled tasks were also used for persistence. ReliaQuest reported that Storm-2603 chains CVE-2026-23760 access with the software’s built-in 'Volume Mount' feature to gain full system control. ReliaQuest also saw probes for CVE-2026-24423, another SmarterMail flaw flagged by CISA as actively exploited by ransomware actors, although the primary vector was CVE-2026-23760.

Timeline

  1. 11.10.2025 16:04 1 articles · 4mo ago

    Storm-2603 Establishes AK47 C2 Framework and Demonstrates Operational Flexibility

    Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks. The group used operational security (OPSEC) measures, such as stripped timestamps and intentionally corrupted expiration mechanisms, and compiled ransomware payloads at 22:58-22:59 China Standard Time, packaging them into a malicious installer at 01:55 the next morning. Storm-2603 used consistent contact information and shared, misspelled domains across Warlock, LockBit, and Babuk deployments, demonstrating cohesive command-and-control (C2) operations.

    Show sources
    Open in new tab
  2. 09.10.2025 22:31 5 articles · 4mo ago

    Storm-2603 Group Exploits Velociraptor Vulnerability in Ransomware Attacks

    Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. The group switched to using a new C2 domain on Cloudflare's workers.dev service after Sophos' August report. Velociraptor abuse was detected through behavioral detections in the Sophos Endpoint platform. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. In a recent breach, SmarterTools confirmed that the Warlock ransomware gang breached its network on January 29, 2026, via a single SmarterMail virtual machine (VM) set up by an employee. The vulnerability exploited in the attack to gain access is CVE-2026-23760, an authentication bypass flaw in SmarterMail before Build 9518, which allows resetting administrator passwords and obtaining full privileges. The attackers moved laterally from that one vulnerable VM via Active Directory, using Windows-centric tooling and persistence methods. The ransomware operators waited roughly a week after gaining initial access, the final stage being encryption of all reachable machines. Sentinel One security products reportedly stopped the final payload from performing encryption, the impacted systems were isolated, and data was restored from fresh backups. Tools used in the attacks include Velociraptor, SimpleHelp, and vulnerable versions of WinRAR, while startup items and scheduled tasks were also used for persistence. ReliaQuest reported that Storm-2603 chains CVE-2026-23760 access with the software’s built-in 'Volume Mount' feature to gain full system control. ReliaQuest also saw probes for CVE-2026-24423, another SmarterMail flaw flagged by CISA as actively exploited by ransomware actors, although the primary vector was CVE-2026-23760. The breach did not affect SmarterTools' website, shopping cart, My Account portal, or several other services, and no business applications or account data were compromised. About 12 Windows servers on the company's office network, as well as a secondary data center used for quality control (QC) tests, were confirmed to be affected. Hosted customers using SmarterTrack were the most affected, not due to any issue within SmarterTrack itself, but because that environment was more easily accessible once the network was breached. The attackers waited for approximately 6–7 days after gaining initial access to take control of the Active Directory server and create new users, followed by dropping additional payloads like Velociraptor and the locker to encrypt files. The attackers used a malicious MSI installer ("v4.msi") downloaded from Supabase, a legitimate cloud-based backend platform, to install Velociraptor. The attackers abused legitimate features (password resets and drive mounting) to blend in with typical administrative workflows, helping them avoid detection.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

eScan Antivirus Supply Chain Compromise Delivers Signed Malware

A supply chain compromise in eScan antivirus products led to the distribution of multi-stage malware via legitimate update channels on January 20, 2026. The malware, signed with a compromised eScan certificate, established persistence, enabled remote access, and blocked further updates. Morphisec Threat Labs detected and mitigated the attack, while eScan took its update system offline for remediation. The malware modified system files and registry settings to prevent automatic remediation and communicated with external C2 infrastructure. Affected organizations are advised to search for malicious files, review scheduled tasks, inspect registry keys, block C2 domains, and revoke the compromised certificate. The breach was limited to a two-hour window on January 20, 2026, affecting only customers downloading updates from a specific regional update cluster. eScan detected the issue internally through monitoring and customer reports on January 20, isolated the affected infrastructure within hours, and issued a security advisory on January 21. eScan disputes Morphisec's claims of being the first to discover or report the incident, stating it conducted proactive notifications and direct outreach to impacted customers. The incident did not involve a vulnerability in the eScan product itself but was due to unauthorized access to a regional update server configuration. The malicious update was signed with what appears to be eScan's code-signing certificate, but both Windows and VirusTotal show the signature as invalid. The command and control servers observed include hxxps://vhs.delrosal.net/i, hxxps://tumama.hns.to, hxxps://blackice.sol-domain.org, hxxps://codegiant.io/dd/dd/dd.git/download/main/middleware.ts, 504e1a42.host.njalla.net, and 185.241.208.115.

Open in new tab

CyberVolk's VolkLocker ransomware flaw allows free decryption

CyberVolk, a pro-Russia hacktivist group, launched VolkLocker ransomware-as-a-service (RaaS) with a critical cryptographic flaw. The ransomware uses a hardcoded master key stored in plaintext, enabling victims to decrypt files without paying the ransom. VolkLocker targets both Linux/VMware ESXi and Windows systems and includes a timer function that wipes user folders if the ransom is not paid. The group also offers a remote access trojan and a keylogger for sale. The flaw in VolkLocker's cryptography was discovered by SentinelOne researchers, who noted that the master key is written to a plaintext file in the %TEMP% folder, allowing victims to recover their files. This weakness undermines the ransomware's effectiveness and highlights the group's inexperience in cybercrime operations. VolkLocker is written in Golang and attempts to escalate privileges and perform reconnaissance and system enumeration. It makes Windows Registry modifications to thwart recovery and analysis, deletes volume shadow copies, and terminates processes associated with Microsoft Defender Antivirus and other common analysis tools. The ransomware uses an enforcement timer that wipes the content of user folders if victims fail to pay within 48 hours or enter the wrong decryption key three times. VolkLocker payloads come with built-in Telegram automation for command-and-control, allowing users to message victims, initiate file decryption, list active victims, and get system information.

Open in new tab

DeadLock Ransomware Campaign Uses BYOVD to Evade Security Tools

A financially motivated threat actor has been observed deploying DeadLock ransomware using a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint detection tools and achieve full system compromise. The attack involved privilege-escalation scripts, registry modifications, remote access tools (RATs), and a custom encryption routine. The ransomware targeted various applications and services while avoiding critical system files to maintain system functionality for ransom negotiations. Victims were instructed to pay ransom in Bitcoin or Monero via Session Messenger. The latest DeadLock samples observed by Group-IB include an HTML file used to communicate with victims through the Session encrypted messaging platform. Instead of relying on hard-coded servers, the malware retrieves proxy addresses stored inside a Polygon smart contract. This approach uses read-only calls that do not generate transactions or incur network fees, complicating traditional blocking approaches. The JavaScript code within the calls queries a specific Polygon smart contract to obtain the current proxy URL, which then relays encrypted messages between the victim and the attacker’s Session ID.

Open in new tab

Storm-0249 Adopts Advanced Tactics for Ransomware Attacks

Storm-0249, previously known as an initial access broker, has escalated its operations by employing advanced tactics such as domain spoofing, DLL sideloading, and fileless PowerShell execution to facilitate ransomware attacks. These methods allow the threat actor to bypass defenses, infiltrate networks, maintain persistence, and operate undetected. The group has shifted from mass phishing campaigns to more precise attacks, leveraging the trust associated with signed processes for added stealth. The ultimate goal is to obtain persistent access to enterprise networks and monetize them by selling access to ransomware gangs.

Open in new tab

Kraken Ransomware Implements System Benchmarking for Encryption Optimization

Kraken ransomware, active since early 2025 and linked to the defunct HelloKitty operation, benchmarks systems to determine optimal encryption methods. The ransomware targets Windows, Linux, and VMware ESXi systems, using temporary files to decide between full or partial encryption. Kraken employs SMB vulnerabilities for initial access, deploys Cloudflared and SSHFS for data exfiltration, and encrypts data based on system performance to avoid detection. Victims include organizations in the US, UK, Canada, Panama, Kuwait, and Denmark. Kraken also operates a cybercrime forum, 'The Last Haven Board,' and demands ransoms up to $1 million in Bitcoin. The group was observed in August 2025 by Cisco Talos, detailing intrusions where SMB flaws were abused for entry, followed by the use of Cloudflare for persistence and SSHFS for data theft before encryption.

Open in new tab