Recent reporting indicates that threat actors are exploiting Velociraptor – a DFIR tool designed for legitimate endpoint monitoring and incident response across Windows, Linux, and macOS systems – by using outdated versions vulnerable to privilege escalation, allowing arbitrary command execution and complete host compromise. As a result, the threat actors were able to deploy variants of Warlock, LockBit, and Babuk ransomware. This activity is believed to be attributed to the Storm-2603, a suspected China-based threat actor that has been observed deploying Warlock and LockBit ransomware in previous attacks.
What’s Notable and Unique
- Researchers first identified in August 2025 that threat actors were abusing Velociraptor for remote access, leveraging the tool to download and execute Visual Studio Code on compromised hosts, which was then used to establish a secure communication tunnel with its command and control (C2) infrastructure.
- In this recent campaign, threat actors are exploiting an outdated version of Velociraptor that is vulnerable to CVE-2025-6264, which enables arbitrary command execution and endpoint takeover, allowing the attackers to maintain persistence, run programs remotely, and create scheduled tasks to execute batch scripts.
Analyst Comments
The misuse of legitimate software such as Velociraptor in ransomware campaigns presents a significant challenge for defenders. By exploiting trusted security tools, threat actors can conceal their malicious activity within normal administrative behavior, making detection and response more difficult. This tactic not only undermines confidence in security utilities but also underscores the need for strict version control, continuous monitoring of administrative tool usage, and robust behavioral analytics to effectively distinguish between legitimate and malicious actions within enterprise environments. Arete does not use Velociraptor and maintains rigorous controls over the tools we use to ensure they are secure.
Sources
Related Resources
![]()
Oracle Vulnerability Exploited by Cl0p
Cl0p Oracle EBS zero-day exploit leads to data theft via CVE-2025-61882. Oracle issues emergency patch to mitigate remote code execution risk.
Read more![]()
Ransomware Trends & Data Insights: September 2025
Akira ransomware dominated August activity, with Qilin second. Arete analysts identified key cybercrime trends behind these threat actors.
Read more![]()
SonicWall Discloses Another Breach
SonicWall cloud backup breach exposes encrypted files; users urged to follow remediation guidance to prevent further exploitation.
Read more
