Cybercriminals are using the Velociraptor Digital Forensics and Incident Response (DFIR) tool to distribute ransomware, say researchers at Cisco Talos.
Velociraptor is an open-source DFIR tool that enables security teams to monitor endpoints, analyze network activity, and conduct forensic examinations following cybersecurity incidents. The project was acquired by Rapid7 in April 2021, and the company has since leveraged the technology to enhance its own incident response capabilities, as well as providing an enterprise version to its customers.
According to Cisco Talos’ report, the research team responded to an attack in August this year, which involved threat actors deploying Warlock, LockBit, and Babuk ransomware to encrypt Windows servers and VMware ESXi virtual machines.
The researchers say that the adversary took control of compromised machines by creating local admin accounts synced to Entra ID. From there, they were able to install an outdated version of Velociraptor (version 0.73.4.0) that was exposed to a privilege escalation vulnerability. The vulnerability, tracked as CVE-2025-6264, enabled the adversary to execute arbitrary commands and take over endpoints.
“While Talos was unable to observe how the actor obtained initial access due to limited access to the victim organization’s data, both their exposure to the ToolShell vulnerabilities and our attribution to Storm-2603 increase the likelihood that initial access was gained through ToolShell exploitation,” the company explained.
Cisco Talos has attributed the attack “with moderate confidence” to the group Storm-2603, which is a suspected China-based nation-state actor known for deploying Warlock and LockBit ransomware in the same attack.
While Velociraptor had not been tied to any ransomware incidents prior to this, researchers at Sophos reported on August 26th that attackers were abusing the tool for remote access. According to Sophos, the threat actors had used Velociraptor to download and execute Visual Studio Code, enabling them to create a tunnel to their command-and-control (C2) server.
“The addition of this tool in the ransomware playbook is in line with findings from Talos’ 2024 Year in Review, which highlights that threat actors are utilizing an increasing variety of commercial and open-source products,” said Cisco Talos.
Mitigation Guidance
Rapid7 is aware of the incident and has published a report that details how organizations can detect the misuse of Velociraptor in their environments.
“Velociraptor is widely used by defenders for legitimate forensic and response workflows, and, just like many other security and administrative tools, it can also be abused when in the wrong hands,” the company said, before reiterating that the incidents observed by Cisco Talos were not caused by a vulnerability in the tool itself, but by its misuse.
Read More
