China Hackers Use Velociraptor IR Tool for Ransomware - Dark Reading

CYBERSECURITY OPERATIONS CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY THREAT INTELLIGENCE NEWS Chinese Hackers Use Velociraptor IR Tool in Ransomware Attacks In a new wrinkle for adversary tactics, the Storm-2603 threat group is abusing the digital forensics and incident response (DFIR) tool to gain persistent access to victim networks. Rob Wright,Senior News Director,Dark Reading October 10, 2025 5 Min Read SOURCE: RAYMONDASIAPHOTOGRAPHY VIA ALAMY STOCK PHOTO A China-based threat group known as Storm-2603 has added a new weapon to its hacking arsenal. Cisco Talos researchers observed Storm-2603 abusing Velociraptor, an open source digital forensics and incident response (DFIR) tool, in a recent ransomware attack. The open source project, which was acquired by Rapid7 in 2021, was designed by security researcher Michael Cohen to assist incident response teams with endpoint monitoring and investigations. However, it seems attackers have turned the tables on defenders and are now leveraging Velociraptor to conceal their malicious activity. Storm-2603 initially burst on to the threat landscape in July as one of several threat groups exploiting a set of SharePoint vulnerabilities in an attack chain known as "ToolShell." There, the threat actors gained access to SharePoint servers, moved laterally in the victims' networks, and deployed Warlock ransomware. In a blog post published Thursday, Cisco Talos researchers said they responded to a different incident in August, in which threat actors dropped three different types of ransomware on the victim's VMware ESXi servers — Warlock, LockBit, and Babuk — and caused severe disruption to the organization. Related:Why Stryker's Outage Is a Disaster Recovery Wake-Up Call In addition to the ransomware trio, Cisco Talos found Storm-2603 actors had also deployed Velociraptor to aid their attack. It was a shift in strategy; the researchers noted that the tool had not been definitively tied to ransomware attacks prior to August. "Velociraptor played a significant role in this campaign, ensuring the actors maintained stealthy persistent access while deploying LockBit and Babuk ransomware," the researchers wrote. "After gaining initial access, the actors installed an outdated version of Velociraptor (version 0.73.4.0) that was exposed to a privilege escalation vulnerability (CVE-2025-6264) that could lead to arbitrary command execution and endpoint takeover." Dark Reading contacted Cisco Talos for additional information on the attack, but the company declined to comment. Velociraptor Bites Back in Storm-2603 Attacks Cisco Talos' blog post cited previous research from Sophos in August that first documented abuse of Velociraptor by suspected ransomware actors. Sophos Counter Threat Unit (CTU) researchers responded to an incident that month that they said would have likely resulted in ransomware deployment, if not for an alert from Secureworks' Taegis platform. "In this incident, the threat actor used the tool to download and execute Visual Studio Code with the likely intention of creating a tunnel to an attacker-controlled command and control (C2) server," the CTU research team wrote. "Enabling the tunnel option in Visual Studio Code triggered a Taegis alert, as this option can allow both remote access and remote code execution, and has been abused by multiple threat groups in the past." Related:White House Cyber Strategy Prioritizes Offense Rafe Pilling, director of threat intelligence at Sophos CTU, tells Dark Reading that the Storm-2603 activity outlined by Cisco Talos "involves the same threat group and tactics" as Sophos CTU researchers observed in August. Pilling says the earliest detection of Velociraptor abuse Sophos found dates to Aug. 5. "After we published our Aug. 26 blog on the use of Velociraptor by Warlock (Gold Salem as we track them, also known as Storm-2603), the group switched to using a new C2 domain on Cloudflare's workers.dev service," he says. "We continued to see indications of the use of Velociraptor in their attacks in the first two weeks of September, but not since then." In a follow-up post on Sept. 17, Sophos said some of these intrusions ended with the deployment of Warlock ransomware. "When investigating this activity, we encountered a number of customers who had deployed Velociraptor widely across their networks, although these installations look different in our data than the malicious use by Gold Salem/Warlock," Pilling says. Related:Software Development Practices Help Enterprises Tackle Real-Life Risks Specifically, the threat actors were targeting Microsoft SharePoint servers and using Msiexec, a command line tool, to install Velociraptor. Pilling says the malicious activity was caught through behavioral detections in the Sophos Endpoint platform. Detecting & Mitigating Velociraptor DFIR Misuse In their August report, Sophos CTU researchers said the Velociraptor abuse illustrates how threat actors are shifting to incident response tools to establish a persistent foothold in victim networks. Cisco Talos agreed, noting that the addition of Velociraptor to ransomware gangs' playbooks meshes with the company's findings in the Talos 2024 "Year in Review" report, which warned that threat actors are increasingly abusing legitimate commercial and open source products for their attacks. Cisco Talos cited guidance from Rapid7 for identifying and mitigating potential Velociraptor abuse, which notes that the tool deliberately creates "easy to detect" indicators of compromise (IoCs) if misused. Rapid7 acknowledged that since Velociraptor is open source, attackers can modify the tool to remove the generation of the IoCs, but the company said such binaries will either be unsigned or signed by another entity besides Rapid7, and therefore should be flagged. Rapid7 responded to the reported attacks in a blog post on Thursday. "Rapid7 has implemented detections for this and other Velociraptor-related misuse, and is not impacted by this incident," Christiaan Beek, Rapid7's senior director of threat analytics, wrote. Beek noted that in the activity observed by Sophos CTU researchers, the threat actors downloaded a Velociraptor binary and specified a C2 server in the configuration file. Once it was deployed on a compromised system, the attackers used Velociraptor to establish communications with the C2 server as well as download additional files and execute commands on the system. "This behavior reflects a misuse pattern rather than a software flaw: adversaries simply repurpose legitimate collection and orchestration capabilities," Beek wrote. Organizations should check to see if the Velociraptor instances in their environments are legitimate, and analyze endpoint logs for any newly created services or scheduled tasks tied to "velociraptor.exe," Beek said. Additionally, security teams should restrict the execution of any unknown Velociraptor binaries. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERSECURITY OPERATIONS Women Who 'Hacked the Status Quo' Aim to Inspire Security Careers by Elizabeth Montalbano, Contributing Writer JUL 16, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERSECURITY OPERATIONS Secure Communications Evolve Beyond End-to-End Encryption by Robert Lemos, Contributing Writer APR 04, 2025 CYBERSECURITY OPERATIONS Bridging the Gap Between the CISO & the Board of Directors by Michael Fanning MAR 31, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE