Full Report
Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool.
Analysis Summary
# Tool/Technique: Velociraptor
## Overview
Velociraptor is an open-source digital forensics and incident response (DFIR) tool leveraged by ransomware operators to maintain stealthy, persistent access during post-exploitation activities. In this campaign, an outdated version was deployed, exploiting a privilege escalation vulnerability to aid in endpoint takeover and subsequent ransomware deployment.
## Technical Details
- Type: Tool (Abused DFIR Tool)
- Platform: Windows, Linux, Mac (Client agents)
- Capabilities: Endpoint monitoring, continuous data collection, security event response, remote access, command execution.
- First Seen: Not specified, but leveraged in mid-August 2025 campaign.
## MITRE ATT&CK Mapping
The specific use of Velociraptor for persistence and command execution aligns with the following tactics, though direct mapping of the DFIR tool abuse itself may fall under several categories:
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Scheduled Task (Implied by the actor's general TTPs and need for persistence)
- T1105 - Ingress Tool Transfer (Used to download/execute secondary tools like VS Code)
- **TA0005 - Defense Evasion**
- T1070.004 - File Deletion (Potential use of DFIR tool capabilities for clean-up)
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell (Leveraging cmd.exe and batch scripts facilitated by the tool's execution capabilities, or exploitation of CVE-2025-6264)
## Functionality
### Core Capabilities
- Endpoint monitoring and data collection across Windows, Linux, and Mac systems.
- Used by threat actors to ensure stealthy, persistent access after initial compromise.
- Facilitated the deployment of LockBit and Babuk ransomware.
### Advanced Features
- **Exploitation of Vulnerability:** Actors installed version 0.73.4.0, which was vulnerable to **CVE-2025-6264**, leading to arbitrary command execution and endpoint takeover.
- **Remote Access/Tunneling:** Reportedly used to download and execute Visual Studio Code, likely to create tunnels to attacker-controlled C2 servers.
## Indicators of Compromise
- File Hashes:
- Velociraptor installer: `649BDAA38E60EDE6D140BD54CA5412F1091186A803D3905465219053393F6421`
- Velociraptor.exe: `12F177290A299BAE8A363F47775FB99F305BBDD56BBDFDDB39595B43112F9FB7`
- Malicious Velociraptor config.yaml: `A29125333AD72138D299CC9EF09718DDB417C3485F6B8FE05BA88A08BB0E5023`
- Internal Monologue NTLM downgrade malware (In.exe): `C74897B1E986E2876873ABB3B5069BF1B103667F7F0E6B4581FBDA3FD647A74A`
- File Names: Velociraptor.exe, config.yaml, In.exe, Visual Studio Code (downloaded/executed)
- Registry Keys: Not specified.
- Network Indicators:
- C2 server: velociraptor[.]qaubctgg[.]workers[.]dev (defanged)
- C2/Exfiltration IP: 65.38.[121][.]226 (defanged)
- Domain hosting malicious MSI: stoaccinfoniqaveeambkp[.]blob[.]core[.]windows[.]net (defanged)
- Behavioral Indicators: Creation of admin accounts synced to Entra ID; access to VMware vSphere console; disabling Microsoft Defender protections; creating scheduled tasks; manipulating IIS components to load suspicious .NET assemblies; modifying Group Policy Objects (GPOs).
## Associated Threat Actors
- Storm-2603 (Attribution at moderate confidence)
- Actors affiliated with Warlock ransomware (based on ransom note/DLS usage in a related initial breach)
## Detection Methods
- Signature-based detection: ClamAV signature `Win.Ransomware.Warlock-10057029-0` (Note: This signature primarily covers ransomware, but related files might be flagged). Specific hashes of the malicious Velociraptor files.
- Behavioral detection: Monitoring for the installation and configuration of legitimate DFIR tools being used for initial system checks or suspicious remote execution. Alerting on the known exploitation of CVE-2025-6264 in version 0.73.4.0 of Velociraptor.
- YARA rules: Not specified in the text.
## Mitigation Strategies
- Patching: Urgently patching all deployed Velociraptor instances to eliminate the privilege escalation vulnerability (CVE-2025-6264).
- Security Hygiene: Regularly update security tools and applications, avoiding outdated versions exposed to known vulnerabilities.
- Network Monitoring: Monitor for connections to known C2 infrastructure (e.g., provided IOCs).
- Post-Exploitation Defense: Implement robust network segmentation and monitoring to detect lateral movement techniques (e.g., use of cmd.exe, GPO modification).
## Related Tools/Techniques
- Babuk ransomware
- Warlock ransomware
- LockBit ransomware
- ToolShell (Likely initial access vector related to Storm-2603)
- cmd.exe and batch scripts