Chinese Hackers Use Velociraptor IR Tool in Ransomware Attacks
Summary
Researchers from Cisco Talos observed China-based threat group Storm-2603 (also tracked as Gold Salem) abusing the open-source DFIR tool Velociraptor to maintain stealthy, persistent access in recent ransomware campaigns. After initial access—often via SharePoint exploits—the actors deployed an outdated Velociraptor build (v0.73.4.0) that is vulnerable to privilege escalation (CVE-2025-6264), then used it to communicate with a command-and-control (C2) server and stage multiple ransomware families including Warlock, LockBit and Babuk against VMware ESXi hosts.
Sophos CTU earlier documented similar misuse in August, and Rapid7 (the project steward) has published guidance and added detections. The abuse highlights a trend of adversaries repurposing legitimate incident-response and admin tooling to hide activity; defenders should verify Velociraptor instances, check for unsigned or unexpected binaries, and hunt for new services or scheduled tasks referencing velociraptor.exe.
Author note (punchy): This is important — attackers are turning your forensic tools into backdoors. Read the mitigation steps below and check your estate.
Key Points
- Storm-2603/Gold Salem has started abusing Velociraptor, an open-source DFIR tool, to maintain stealthy persistent access.
- Attackers installed an outdated Velociraptor version (v0.73.4.0) containing CVE-2025-6264, enabling privilege escalation and potential arbitrary command execution.
- The campaign included deployment of multiple ransomware families (Warlock, LockBit, Babuk) and impacted VMware ESXi environments.
- Sophos CTU first documented Velociraptor misuse in August; Cisco Talos confirmed continued activity in follow-up investigations.
- Rapid7 advises checking Velociraptor instances for legitimacy, unsigned binaries, unexpected services/scheduled tasks and restricting execution of unknown binaries.
- This activity exemplifies a wider trend: threat actors abusing legitimate commercial and open-source admin/DFIR tools to blend in and persist.
Why should I read this?
Okay, quick and blunt — attackers are weaponising a tool defenders trust. If you run Velociraptor anywhere, this is your wake-up call: verify installs, hunt for odd services and unsigned binaries, and patch or remove outdated builds. We’ve skimmed the noise and put the essentials here so you can act fast.
Context and Relevance
This report matters because it shows a shift in adversary tradecraft: instead of bespoke malware, attackers are reusing legitimate DFIR tooling to stay hidden and persistent. That makes detection harder using simple signature checks and increases the value of behavioural telemetry, binary signing verification and configuration auditing. For security teams, the piece ties into broader trends of supply-chain and tool-abuse threats and underlines the need for robust asset inventories and runtime controls.