Full Report
Threat actors have started to use the Velociraptor digital forensics and incident response (DFIR) tool in attacks that deploy LockBit and Babuk ransomware. [...]
Analysis Summary
# Tool/Technique: Velociraptor DFIR Tool
## Overview
Velociraptor is an open-source Digital Forensics and Incident Response (DFIR) tool initially created by Mike Cohen, now owned by Rapid7. It is being abused by threat actors, including those delivering LockBit and Babuk ransomware, to establish remote access, maintain persistence, and execute malicious commands on compromised systems.
## Technical Details
- Type: Tool (Abused DFIR Tool)
- Platform: Windows, VMware ESXi (Linux)
- Capabilities: Remote access, command execution, persistence maintenance, data exfiltration support.
- First Seen: Information specific to its **abuse** in these campaigns is noted in reports from August/October 2025.
## MITRE ATT&CK Mapping
The observed abuse aligns with several TTPs related to execution, persistence, and defense evasion:
- **T1059 - Command and Scripting Interpreter**
- T1059.001 - PowerShell
- T1059.003 - Windows Command Shell
- **T1071 - Application Layer Protocol**
- T1071.001 - Web Protocols (Implied by establishing secure communication tunnels)
- **T1543.003 - Windows Service** (If used for persistence, though scheduled tasks were explicitly mentioned)
- **T1053 - Scheduled Task/Job**
- T1053.005 - Scheduled Task
## Functionality
### Core Capabilities (As abused)
- Establishing secure communication tunnels (used in conjunction with Visual Studio Code).
- Maintaining persistence across system restarts or isolation attempts.
- Executing arbitrary commands remotely via Impacket smbexec-style commands.
- Downloading and executing secondary tools (e.g., Visual Studio Code).
### Advanced Features (Observed in the attack chain)
- **Privilege Escalation:** Used an outdated version (0.73.4.0) vulnerable to CVE-2025-6264 to achieve arbitrary command execution and endpoint takeover.
- **Defense Evasion:** Modification of Active Directory Group Policy Objects (GPOs) to disable Defender real-time protection and monitoring of file/program activity.
- **Ransomware Deployment:** Used as the initial command and control mechanism supporting the deployment of LockBit (Windows) and Babuk (ESXi).
- **Data Exfiltration:** A PowerShell script was used to exfiltrate files before encryption, employing `Start-Sleep` delays to evade analysis environments.
## Indicators of Compromise
*Note: Specific IoCs must be referenced from the provided documentation link, as no specific hashes or domains were extracted in the text beyond generic tool names.*
- File Hashes: [Refer to Cisco Talos IoCs provided in the analysis source]
- File Names: Velociraptor files (version 0.73.4.0 structure), Visual Studio Code installers, PowerShell scripts.
- Registry Keys: N/A
- Network Indicators: Components used for establishing secure communication tunnels (specific C2 infrastructure is not detailed in the summary text).
- Behavioral Indicators: Creation of local administrator accounts synced to Entra ID, modification of AD GPOs to disable security monitoring, deployment of fileless PowerShell-based encryption (AES keys per run).
## Associated Threat Actors
- Storm-2603 (Assessed with medium confidence to be a China-based adversary).
- Affiliated with Warlock ransomware and CL-CRI-1040.
- Operated as a LockBit affiliate.
## Detection Methods
- Signature-based detection: Signatures tailored for the specific version of Velociraptor (0.73.4.0) being dropped.
- Behavioral detection: Detection of processes attempting to leverage Velociraptor artifacts for command execution or persistence outside of legitimate DFIR operations. Detection of GPO modifications targeting Microsoft Defender subsystems.
- YARA rules: Potentially applicable to the specific artifacts uploaded/dropped by the threat actor.
## Mitigation Strategies
- Patching/Version Control: Immediately update and manage DFIR tools; ensure zero use of versions known to be vulnerable (e.g., older than the patch for CVE-2025-6264).
- Access Control: Restrict external exposure of management consoles like VMware vSphere.
- Configuration Hardening: Enforce least privilege; audit and limit the ability of non-administrative users to modify Active Directory GPOs related to security controls.
- Monitoring: Monitor for unauthorized creation of local administrator accounts synced to Identity providers (Entra ID).
## Related Tools/Techniques
- LockBit Ransomware
- Babuk Ransomware
- Impacket suite (`smbexec`-style commands)
- Visual Studio Code (Used as a secondary access tool)
- Warlock ransomware (Associated group)