All news with #warlock tag

Velociraptor Abused in LockBit Ransomware Campaign Wave

🔒 Threat actors are abusing Velociraptor, an open-source DFIR tool, to support ransomware operations attributed to Storm-2603. Attackers exploited on-premises SharePoint ToolShell flaws to deploy an outdated Velociraptor build (0.73.4.0) vulnerable to CVE-2025-6264, enabling privilege escalation and remote command execution. After lateral movement and creation of domain admin accounts, the group tampered with GPOs, disabled real‑time protection, and staged exfiltration before deploying Warlock, LockBit, and Babuk. Vendors caution that legitimate collection and orchestration capabilities can be repurposed by adversaries.

Velociraptor Abuse Enables Stealthy Ransomware Campaigns

🔒 Researchers report that the open-source DFIR tool Velociraptor was abused by threat actors to maintain stealthy persistent access while deploying multiple ransomware families, including Warlock, LockBit and Babuk. Cisco Talos observed the activity in August 2025 and attributed the multi-vector operation to a China-linked cluster tracked as Storm-2603. Attackers exploited a vulnerable agent (v0.73.4.0) via CVE-2025-6264 to escalate privileges and persist; defenders are urged to verify deployments and update to v0.73.5 or later.

Velociraptor Abused in Ransomware Attacks by Storm-2603

🔐 Cisco Talos confirmed ransomware operators abused Velociraptor, an open-source DFIR endpoint tool, to gain arbitrary command execution in August 2025 by deploying an outdated agent vulnerable to CVE-2025-6264. Talos links the activity with moderate confidence to Storm-2603 based on overlapping tooling and TTPs. Operators used the tool to stage lateral movement, deploy fileless PowerShell encryptors, and deliver multiple ransomware families, severely disrupting VMware ESXi and Windows servers.