Threat actors are leveraging the Velociraptor DFIR tool to deploy LockBit and Babuk ransomware, with suspected ties to Chinese nation-state actors named Storm-2603. This campaign demonstrates sophisticated tactics including privileged escalation, persistent access, and data exfiltration targeted at various systems. #Velociraptor #Storm2603
Keypoints
- Threat actors are using Velociraptor for remote access and ransomware deployment.
- They exploited a privilege escalation vulnerability (CVE-2025-6264) in Velociraptor to gain control.
- Persistent access was maintained through creation of admin accounts and remote execution commands.
- Ransomware families like LockBit, Warlock, and Babuk were identified in the attacks.
- The attackers used fileless PowerShell scripts and evasion techniques to avoid detection and carry out mass encryption.