All news with #velociraptor tag

Velociraptor Abused in LockBit Ransomware Campaign Wave

🔒 Threat actors are abusing Velociraptor, an open-source DFIR tool, to support ransomware operations attributed to Storm-2603. Attackers exploited on-premises SharePoint ToolShell flaws to deploy an outdated Velociraptor build (0.73.4.0) vulnerable to CVE-2025-6264, enabling privilege escalation and remote command execution. After lateral movement and creation of domain admin accounts, the group tampered with GPOs, disabled real‑time protection, and staged exfiltration before deploying Warlock, LockBit, and Babuk. Vendors caution that legitimate collection and orchestration capabilities can be repurposed by adversaries.

Velociraptor Abuse Enables Stealthy Ransomware Campaigns

🔒 Researchers report that the open-source DFIR tool Velociraptor was abused by threat actors to maintain stealthy persistent access while deploying multiple ransomware families, including Warlock, LockBit and Babuk. Cisco Talos observed the activity in August 2025 and attributed the multi-vector operation to a China-linked cluster tracked as Storm-2603. Attackers exploited a vulnerable agent (v0.73.4.0) via CVE-2025-6264 to escalate privileges and persist; defenders are urged to verify deployments and update to v0.73.5 or later.

Threat actors abusing Velociraptor in ransomware attacks

⚠️Researchers have observed threat actors leveraging the open-source DFIR tool Velociraptor to maintain persistent remote access and deploy ransomware families including LockBit and Babuk. Cisco Talos links the campaigns to a China-based group tracked as Storm-2603 and notes use of an outdated Velociraptor build vulnerable to CVE-2025-6264. Attackers synchronized local admin accounts to Entra ID, accessed vSphere consoles, disabled Defender via AD GPOs, and used fileless PowerShell encryptors with per-run AES keys and staged exfiltration prior to encryption.

Hidden Text Salting in Emails and Strategic Cyber Decisions

🧯 Cisco Talos warns of extensive abuse of CSS to insert hidden “salt” — extraneous characters, comments and markup — into email preheaders, headers, attachments and bodies to evade detection. This hidden text salting technique is significantly more common in spam and malicious mail than in legitimate messages, undermining both signature and ML-based defenses. Talos advises detecting concealed content and, crucially, stripping or normalising that salt before passing messages to downstream engines, while also urging attention to longer-term strategic decision-making in cyber defense.

Velociraptor Abused in Ransomware Attacks by Storm-2603

🔐 Cisco Talos confirmed ransomware operators abused Velociraptor, an open-source DFIR endpoint tool, to gain arbitrary command execution in August 2025 by deploying an outdated agent vulnerable to CVE-2025-6264. Talos links the activity with moderate confidence to Storm-2603 based on overlapping tooling and TTPs. Operators used the tool to stage lateral movement, deploy fileless PowerShell encryptors, and deliver multiple ransomware families, severely disrupting VMware ESXi and Windows servers.

Attackers Abuse Velociraptor to Tunnel C2 via VS Code

🔍 In a recent Sophos report, unknown actors abused the open-source forensic tool Velociraptor to download and execute Visual Studio Code, enabling an encrypted tunnel to an attacker-controlled command-and-control server. The intruders used the Windows msiexec utility to fetch MSI installers hosted on Cloudflare Workers, staged additional tooling including a tunneling proxy and Radmin, and invoked an encoded PowerShell command to enable VS Code's tunnel option. Sophos warns that misuse of incident response tools can precede ransomware and recommends deploying EDR, monitoring for unauthorized Velociraptor activity, and hardening backup and monitoring processes.