Ransomware spread via Velociraptor DFIR tool abuse

BleepingComputer reports that Chinese threat operation Storm-2603 has exploited the open-source digital forensics and incident response tool Velociraptor to target Windows and VMware ESXi systems with ransomware payloads. Multiple local admin accounts created to sync with Entra ID were tapped by attackers to infiltrate the VMware vSphere console and deploy an old Velociraptor version impacted by the privilege escalation bug, tracked as CVE-2025-6264, to facilitate persistence, according to Cisco Talos researchers. Threat actors proceeded to run Impacket smbexec-style commands for remote program execution, as well as deactivate Defender, before injecting LockBit and Babuk ransomware on Windows and VMware ESXi systems, respectively. Researchers also discovered another PowerShell script that sought to bypass threat analysis for double extortion activities. Such findings come as Storm-2603 was noted by Halcyon to be the same as the Warlock ransomware gang, which has worked under the LockBit group.