Chinese threat group Storm-2603 has weaponized Velociraptor, a legitimate digital forensics tool, to launch stealthy ransomware attacks. Cisco Talos researchers discovered the group using this open-source incident response tool to deploy multiple ransomware variants—Warlock, LockBit, and Babuk—on VMware ESXi servers in August.
The hackers exploited an outdated version of Velociraptor with a privilege escalation vulnerability, allowing them to maintain persistent access while avoiding detection. This marks a concerning shift where cybercriminals repurpose security tools designed to protect organizations.
Sophos researchers first documented similar attacks in August, noting threat actors used Velociraptor to establish command-and-control communications. Security teams should audit their Velociraptor installations and monitor for unauthorized binaries to prevent this tool from being turned against them.
Source: Dark Reading