Living Off the Land: Hackers Abuse Velociraptor DFIR Tool to Deploy Ransomware
China-Linked Group Storm-2603 Abuses Velociraptor DFIR Tool to Deploy LockBit, Babuk Ransomware
Related Entities
Threat Actors
Organizations
Products & Tech
CVE Identifiers
Full Report
Executive Summary
Security researchers at Cisco Talos have identified a sophisticated campaign where threat actors are abusing the legitimate open-source Digital Forensics and Incident Response (DFIR) tool, Velociraptor, to facilitate ransomware attacks. The activity is attributed with moderate confidence to Storm-2603, a group suspected to have links to China. The attackers install an outdated version of Velociraptor vulnerable to CVE-2025-6264, a privilege escalation flaw, to gain persistent access and execute ransomware payloads. This "living-off-the-land" (LotL) technique allows them to remain undetected while deploying multiple ransomware variants, including Warlock, LockBit, and Babuk, primarily targeting VMware ESXi and Windows Server environments.
Threat Overview
The campaign, which began in mid-August 2025, involves the threat actor gaining initial access to a target network and then deploying Velociraptor version 0.73.4.0. This specific version is vulnerable to CVE-2025-6264, which the attackers exploit to escalate privileges and achieve complete control over the compromised endpoint. By leveraging a trusted DFIR tool, the attackers' activities blend in with legitimate administrative tasks, making detection extremely difficult. The ultimate goal of the campaign is to deploy ransomware across the victim's virtualized and physical server infrastructure, causing significant disruption and data encryption.
Technical Analysis
The attack chain demonstrates a high level of operational security and technical skill. After exploiting CVE-2025-6264 for privilege escalation, the actors perform several post-exploitation activities:
- Persistence and Credential Access: They create new administrator accounts and sync them to Entra ID (formerly Azure AD), ensuring persistent access to the cloud environment.
- Lateral Movement: The attackers access the VMware vSphere console to gain control over the entire virtual infrastructure.
- Defense Evasion: They modify Active Directory Group Policy Objects (GPOs) to disable Microsoft Defender's real-time protection and other security controls across the domain.
- Command and Control: The legitimate functionality of Velociraptor is used for command and control and to exfiltrate data under the guise of forensic collection. The attackers also use tools like Impacket for remote command execution.
MITRE ATT&CK Techniques
T1219 - Remote Access Software: The primary technique, abusing the legitimate Velociraptor tool for malicious purposes.T1068 - Exploitation for Privilege Escalation: Leveraging CVE-2025-6264 to gain higher privileges on the endpoint.T1087.002 - Domain Account: Creating new admin accounts in Active Directory for persistence.T1484.001 - Group Policy Modification: Disabling security software like Microsoft Defender via GPO changes.T1486 - Data Encrypted for Impact: The final stage, deploying Warlock, LockBit, and Babuk ransomware to encrypt files.
Impact Assessment
The impact of this campaign is severe. By targeting VMware ESXi servers, the attackers can encrypt dozens or hundreds of virtual machines simultaneously, leading to catastrophic business disruption. The use of a legitimate DFIR tool makes attribution and incident response more complex, as security teams may initially overlook its activity. Victims face not only the cost of recovery and downtime but also the potential for data exfiltration and double extortion, as is common with the LockBit and Babuk ransomware families.
Cyber Observables for Detection
Security teams should hunt for these indicators:
| Type | Value | Description |
|---|---|---|
| file_name | velociraptor-v0.73.4.0-windows-amd64.exe |
The specific outdated and vulnerable version of the tool being deployed. |
| process_name | velociraptor.exe |
Monitor for executions of the Velociraptor client, especially if not deployed by the internal security team. |
| command_line_pattern | velociraptor.exe --config <config_file> client |
Look for command-line arguments used to run Velociraptor as a client connecting to an external server. |
| log_source | Windows Event ID 4673 |
Monitor for privileged service execution related to newly installed services, potentially Velociraptor. |
| log_source | Active Directory Replication Logs |
Look for the creation of new high-privilege user accounts, especially those with suspicious naming conventions. |
Detection & Response
- Asset Inventory and Version Control: Maintain a strict inventory of all software, especially security tools. Use D3FEND's
Software Update (D3-SU)process to ensure all tools, including Velociraptor, are up-to-date and patched against known vulnerabilities like CVE-2025-6264. - Behavioral Monitoring: Since the tool is legitimate, signature-based detection will fail. Use EDR and SIEM solutions to monitor for anomalous behavior associated with the tool. For example, alert when
velociraptor.exeis executed from a non-standard directory or connects to an unknown external IP address. This aligns with D3FEND'sProcess Analysis (D3-PA). - GPO Auditing: Regularly audit changes to Group Policy Objects. An alert should be triggered for any modification that disables or weakens security controls like Microsoft Defender. Use D3FEND's
System Configuration Permissions (D3-SCP)to harden GPOs. - Account Monitoring: Closely monitor the creation of new administrative accounts in Active Directory and Entra ID. Use D3FEND's
Domain Account Monitoring (D3-DAM)to detect suspicious account creation.
Mitigation
- Application Allowlisting: Implement application allowlisting to prevent the execution of unauthorized or outdated versions of tools like Velociraptor. This is a key part of D3FEND's
Executable Allowlisting (D3-EAL). - Principle of Least Privilege: Ensure that user and service accounts have only the minimum permissions necessary. This can limit an attacker's ability to escalate privileges or modify GPOs.
- Harden VMware Environment: Secure the vSphere/vCenter management console with multi-factor authentication and restrict access to authorized personnel from dedicated management workstations.
- Network Egress Filtering: Block outbound connections from servers to the internet on non-essential ports. Monitor and filter traffic to known malicious or suspicious domains and IP ranges.
Timeline of Events
MITRE ATT&CK Mitigations
Execution Prevention
Use application control to restrict the execution of unauthorized or outdated software versions.
Behavior Prevention on Endpoint
Use an EDR to detect malicious behaviors, such as a DFIR tool disabling security products.
Update Software
Ensure all legitimate tools are kept up-to-date to patch known vulnerabilities.
Mapped D3FEND Techniques:
Active Directory Configuration
Harden Active Directory and GPO permissions to prevent unauthorized modifications.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
Implement a strict executable allowlisting policy on critical servers, particularly domain controllers and VMware vCenter servers. This countermeasure would prevent the execution of the unauthorized, outdated version of Velociraptor (v0.73.4.0) used in this attack. The policy should only permit known, approved, and up-to-date versions of legitimate security and administrative tools. By defining a 'known good' state, any attempt by Storm-2603 to drop and run their chosen tool would be blocked at the source. This can be enforced using technologies like Windows AppLocker or third-party application control solutions. While this requires an initial investment in baselining the environment, it is one of the most effective ways to defeat 'living-off-the-land' attacks that rely on dropping unauthorized executables.
Deploy an Endpoint Detection and Response (EDR) solution capable of advanced process analysis and behavioral monitoring. Since the attackers are using a legitimate tool, signature-based detection is ineffective. A behavioral approach is needed to identify malicious use. Configure the EDR to alert on suspicious process chains, such as velociraptor.exe being launched by an unusual parent process (e.g., a web server) or velociraptor.exe spawning shells (cmd.exe, powershell.exe) to execute commands. Furthermore, create detection rules for when a process associated with a security tool (like Velociraptor) attempts to read credentials from memory (LSASS) or modify Group Policy Objects. This context-aware monitoring can distinguish malicious activity from benign administrative use.
Implement robust monitoring of Active Directory and Entra ID for suspicious account activity. The attackers in this campaign created new administrator accounts for persistence. Configure your SIEM to generate high-priority alerts for the creation of any new account that is added to privileged groups (e.g., Domain Admins, Enterprise Admins, vSphere Admins). Alerts should also be triggered if an existing account's privileges are escalated. Correlate this activity with source IP and host information; for example, a new domain admin account being created from a standard user workstation or a server that does not typically perform identity management is highly suspicious. This provides a critical detection opportunity during the persistence and privilege escalation phases of the attack.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats