Ransomware Group Storm-2603 Abuses Velociraptor for Stealthy LockBit/Babuk Attacks

Attackers have begun abusing the DFIR tool Velociraptor to stage ransomware deployments of LockBit and Babuk. Cisco Talos attributes these campaigns to a cluster known as Storm-2603, believed to operate from China. Analysts report the adversaries leveraged an outdated Velociraptor build vulnerable to privilege escalation — CVE-2025-6264 (CVSS 5.5) — to obtain full control of compromised hosts.

Originally authored by Mike Cohen as an open-source DFIR utility and later acquired by Rapid7, Velociraptor has been repurposed by threat actors for remote access. In late August, Sophos warned that attackers were already abusing the software to upload and run Visual Studio Code on infected machines, establishing encrypted tunnels to command-and-control infrastructure.

According to Cisco Talos, the intrusion chain began with the creation of local administrator accounts synchronized to Entra ID. Using those credentials, intruders accessed the VMware vSphere console and entrenched themselves within the virtual estate. They then installed an antiquated Velociraptor version 0.73.4.0 containing the CVE-2025-6264 flaw, enabling arbitrary command execution and system takeover. The tool persisted even after hosts were ostensibly isolated, providing a resilient foothold in the network.

Attackers also employed Impacket-style smbexec commands for remote execution and scheduled tasks running batch scripts. To blunt defenses, they used Active Directory group policies to disable Microsoft Defender components, including file and process activity monitoring.

Detection telemetry showed Windows endpoints executed the LockBit ransomware; encrypted files bore the extension .xlockxlock, previously seen in Warlock incidents. On VMware ESXi servers, researchers discovered a Linux binary attributed to Babuk. Mass encryption was carried out by a fileless PowerShell encryptor that generated fresh AES keys on each run. Prior to encryption, another PowerShell routine exfiltrated documents for double extortion and inserted delays between actions to evade sandboxes and analysis systems.

Halcyon’s analysis suggests Storm-2603 likely maintains ties to Chinese state-aligned actors and has previously operated under names such as Warlock and CL-CRI-1040. The group appears to partner with LockBit, combining bespoke tooling with commodified components from established cybercrime ecosystems. Cisco Talos has published a set of indicators of compromise — including files deployed by the intruders and traces of Velociraptor activity observed on infected systems.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy