Executive Summary
In October 2025, security researchers uncovered that the China-based threat group Storm-2603 had abused the open-source Velociraptor DFIR tool in a wide-ranging ransomware campaign. The attacker exploited an outdated, vulnerable version of Velociraptor (CVE-2025-6264) to escalate privileges, create persistent admin accounts, and establish secure remote access on victim systems. This access enabled them to deploy ransomware variants including LockBit and Babuk across Windows and VMware ESXi environments, performing data encryption and exfiltration using PowerShell scripts. Endpoint protections were systematically disabled, and lateral movement leveraged tools like Impacket.
This incident highlights an emergent trend: threat actors co-opting legitimate security tools for malicious purposes, increasing the difficulty of detection and response. The blending of nation-state TTPs with ransomware-as-a-service models signals evolving threats, regulatory scrutiny, and substantial operational risks for enterprises.
Why This Matters Now
This breach underscores how attackers are weaponizing trusted forensic and remote administration tools to bypass security controls, gain persistence, and evade detection. Organizations must strengthen monitoring for dual-use software, close privilege escalation gaps, and re-evaluate response and segmentation strategies to counteract sophisticated, identity-driven ransomware campaigns.
Attack Path Analysis
Attackers initially compromised systems by abusing an outdated, vulnerable version of Velociraptor, enabling them to create local admin accounts and gain unauthorized access. Exploiting CVE-2025-6264 allowed them to escalate privileges and synchronize admin accounts to Entra ID, gaining more control. They then moved laterally by accessing VMware vSphere consoles, executing remote commands via Impacket, and establishing persistence with scheduled tasks. Velociraptor was used to maintain command and control, with secure tunnels connecting to C2 infrastructure and defender protections disabled. Before ransomware deployment, data was exfiltrated using PowerShell scripts for double extortion. Ransomware payloads were delivered to both Windows and Linux VMs, encrypting files and disrupting business operations.
Kill Chain Progression
Initial Compromise
Description
The threat actor gained access by deploying a vulnerable version of Velociraptor on target systems, enabling unauthorized execution and persistence.
Related CVEs
CVE-2025-6264
CVSS 5.5A privilege escalation vulnerability in Velociraptor versions prior to 0.74.3 allows users with COLLECT_CLIENT permissions to execute arbitrary commands and potentially take control of affected endpoints.
Affected Products:
Velocidex Velociraptor – < 0.74.3
Exploit Status:
exploited in the wildCVE-2025-49704
CVSS 8.8A remote code execution vulnerability in Microsoft SharePoint Server allows attackers to execute arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
Affected Products:
Microsoft SharePoint Server – 2016, 2019
Exploit Status:
exploited in the wildCVE-2025-49706
CVSS 7.1A spoofing vulnerability in Microsoft SharePoint Server allows an attacker to perform cross-site scripting (XSS) attacks, leading to unauthorized access to sensitive information.
Affected Products:
Microsoft SharePoint Server – 2016, 2019
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Create or Modify System Process: Windows Service
Command and Scripting Interpreter: PowerShell
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Indicator Removal on Host: Timestomp
Impair Defenses: Disable or Modify Tools
Remote Services: SMB/Windows Admin Shares
Data Encrypted for Impact
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement Processes for Identification and Authentication
Control ID: 10.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 10(1)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Detection and Response Capabilities
Control ID: Pillar 3.2
NIS2 Directive – Technical and Organizational Measures for Security of Network and Information Systems
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical exposure to Velociraptor DFIR tool abuse and CVE-2025-6264 exploitation, with VMware vSphere vulnerabilities enabling persistent ransomware access.
Financial Services
High-value targets for Storm-2603's LockBit/Babuk ransomware campaigns, with Entra ID compromise and double-extortion tactics threatening regulatory compliance.
Health Care / Life Sciences
HIPAA compliance violations from PowerShell encryptors and data exfiltration scripts, with virtual infrastructure vulnerabilities exposing patient data.
Government Administration
Nation-state actor Storm-2603 targeting critical infrastructure through privilege escalation vulnerabilities and fileless encryption techniques for persistent access.
Sources
- Hackers now use Velociraptor DFIR tool in ransomware attackshttps://www.bleepingcomputer.com/news/security/hackers-now-use-velociraptor-dfir-tool-in-ransomware-attacks/Verified
- Velociraptor Privilege Escalation Vulnerability via Unrestricted UpdateConfig Artifacthttps://volerion.com/vulnerabilities/CVE-2025-6264Verified
- Disrupting active exploitation of on-premises SharePoint vulnerabilitieshttps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/Verified
- Storm-2603 Threat Actor Profilehttps://www.fortiguard.com/threat-actor/6192/storm-2603Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Zero Trust Segmentation, strong east-west traffic controls, threat detection, and egress enforcement could have contained the adversary at multiple points, limiting privilege escalation, lateral movement, and both data exfiltration and ransomware impact in hybrid cloud environments.
Control: Cloud Firewall (ACF)
Mitigation: Blocked known bad ports and unauthorized management access to vulnerable software.
Control: Zero Trust Segmentation
Mitigation: Isolated privileged access workflows and minimized attack surface for privilege escalation.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized internal lateral movement between workloads and management consoles.
Control: Threat Detection & Anomaly Response
Mitigation: Real-time anomaly detection and alerting for covert C2 communications.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unauthorized outbound data transfers and applied FQDN filtering.
Restricted ransomware propagation within hybrid and Kubernetes environments.
Impact at a Glance
Affected Business Functions
- IT Operations
- Data Management
- Security Monitoring
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive organizational data, including user credentials and proprietary information, due to unauthorized access and control over affected systems.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation and identity-based policies to contain privilege escalation and unauthorized admin activity.
- • Implement granular east-west microsegmentation and workload isolation to prevent lateral movement to critical management consoles and VMs.
- • Deploy continuous threat detection and real-time anomaly response across cloud and hybrid environments.
- • Apply strict egress security and FQDN-based policy enforcement to block data exfiltration and C2 communication.
- • Harden Kubernetes and multi-cloud controls with app-level firewalling and namespace enforcement to prevent ransomware propagation.
