Velociraptor DFIR Tool Abused in Ransomware Attacks

Threat actors are weaponizing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in sophisticated multi-variant ransomware campaigns. A group tracked as Storm-2603 reportedly exploits SharePoint vulnerabilities to gain initial access, then deploys an outdated and vulnerable version of Velociraptor to maintain persistence and escalate privileges. The attackers proceed to move laterally, disable security defenses by modifying Group Policy Objects, and exfiltrate data. Subsequently, they encrypt Windows servers and VMware ESXi virtual machines using a combination of Warlock, LockBit, and Babuk ransomware. This campaign is notable for being the first time this actor has been linked to Babuk and for confirming the abuse of Velociraptor in live ransomware incidents.

Latest mentioned: 10-11

Earliest mentioned: 10-07

Sources

talosintelligence.com bleepingcomputer.com gbhackers.com securityonline.info thehackernews.com microsoft.com

Also Read

BRONZE BUTLER Exploits LANSCOPE Zero-Day for Data Theft

In mid-2025, Secureworks CTU researchers uncovered a sophisticated cyber campaign by the BRONZE BUTLER group, exploiting a zero-day vulnerability in Motex LANSCOPE Endpoint Manager. This group, active since 2010, has a history of targeting specific organizations and government entities. The vulnerability, CVE-2025-61932, allows remote attackers to execute arbitrary commands with SYSTEM privileges. The campaign involved deploying Gokcpdoor and Havoc C2 frameworks, using legitimate tools like goddi and 7-Zip for data exfiltration. International cybersecurity authorities quickly responded, highlighting the severity of the threat.

10-31Read more →