Chinese Hackers Turn Security Tool Against Defenders in Ransomware Attacks

Storm-2603 exploits Velociraptor for stealthy ransomware attacks on VMware, raising concerns over repurposed security tools.

By Content Team

Oct 11, 2025

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Chinese threat group Storm-2603 has weaponized Velociraptor, a legitimate digital forensics tool, to launch stealthy ransomware attacks. Cisco Talos researchers discovered the group using this open-source incident response tool to deploy multiple ransomware variants—Warlock, LockBit, and Babuk—on VMware ESXi servers in August.

The hackers exploited an outdated version of Velociraptor with a privilege escalation vulnerability, allowing them to maintain persistent access while avoiding detection. This marks a concerning shift where cybercriminals repurpose security tools designed to protect organizations.

Sophos researchers first documented similar attacks in August, noting threat actors used Velociraptor to establish command-and-control communications. Security teams should audit their Velociraptor installations and monitor for unauthorized binaries to prevent this tool from being turned against them.

Source: Dark Reading

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Cyberattacks on Industrial Systems Nearly Double as Hackers Target Critical Infrastructure

Jan 15, 2026

M&S Cyber Attack Chaos Leaves More Questions Than Answers

Feb 18, 2026

Under Armour Investigates Data Breach Affecting 72 Million Email Addresses

Jan 23, 2026

US Investigates Claims Meta Can Read Encrypted WhatsApp Messages

Feb 1, 2026