CVE-2025-6264 (CVSS 9.8): Chinese Hackers Weaponize Velociraptor IR Tool in Ransomware Attacks

Estimated reading time: 10 minutes

Key takeaways:

  • Chinese threat group Storm-2603 is misusing the Velociraptor DFIR tool in ransomware attacks.
  • The group exploits CVE-2025-6264 to escalate privileges and gain control over compromised endpoints.
  • Organizations should verify the legitimacy of Velociraptor instances and monitor for suspicious activity.
  • Implement application control and monitor for unusual process behavior.
  • Prioritize cyber threat intelligence to understand threat actors’ TTPs.

Table of Contents:

Storm-2603 and the Misuse of Velociraptor

A concerning trend has emerged in the cybersecurity landscape: threat actors are increasingly repurposing legitimate tools for malicious purposes. Recently, the China-based threat group Storm-2603 was observed abusing Velociraptor, a digital forensics and incident response (DFIR) tool, in ransomware attacks. This represents a shift in tactics, highlighting the need for defenders to understand how familiar tools can be turned against them. The exploitation of CVE-2025-6264, a privilege escalation vulnerability within an outdated version of Velociraptor, enabled arbitrary command execution and endpoint takeover.

Storm-2603 gained notoriety in July after exploiting SharePoint vulnerabilities in the “ToolShell” attack chain. This involved gaining access to SharePoint servers, moving laterally within victim networks, and deploying Warlock ransomware. In a recent incident, Cisco Talos researchers discovered that Storm-2603 deployed Velociraptor in conjunction with three different ransomware variants: Warlock, LockBit, and Babuk, severely disrupting the targeted organization’s VMware ESXi servers. This indicates a calculated effort to maintain stealthy persistent access while deploying ransomware.

Velociraptor, an open-source DFIR tool acquired by Rapid7 in 2021, was designed to aid incident response teams with endpoint monitoring and investigations. However, Storm-2603 actors have subverted its intended use, leveraging it to conceal their malicious activities. The actors installed an outdated version of Velociraptor (version 0.73.4.0) to take advantage of CVE-2025-6264, allowing them to escalate privileges and gain complete control over compromised endpoints.

This tactic demonstrates how threat actors are adapting their strategies and abusing legitimate commercial and open-source products.

Previous Velociraptor Misuse

Prior to the Cisco Talos discovery, Sophos researchers documented the abuse of Velociraptor by suspected ransomware actors in August. In this instance, the threat actor used the tool to download and execute Visual Studio Code, likely intending to create a tunnel to an attacker-controlled command and control (C2) server. This attempt was thwarted by a Secureworks Taegis platform alert, which flagged the tunnel option in Visual Studio Code as a potential remote access and code execution vector.

Rafe Pilling, director of threat intelligence at Sophos CTU, confirmed that the Storm-2603 activity observed by Cisco Talos aligns with Sophos CTU’s earlier findings. The earliest detection of Velociraptor abuse they found dates back to August 5th. After Sophos published its initial report, the group switched to a new C2 domain on Cloudflare’s workers.dev service and continued using Velociraptor in attacks through the first two weeks of September.

These intrusions sometimes culminated in the deployment of Warlock ransomware, emphasizing the importance of early detection and response. Sophos noted that while many customers had legitimate Velociraptor installations, the malicious use by Storm-2603 exhibited distinct characteristics. Specifically, the actors targeted Microsoft SharePoint servers and used Msiexec to install Velociraptor, which was detected through behavioral analysis in the Sophos Endpoint platform.

Detecting and Mitigating Velociraptor Misuse

The abuse of Velociraptor underscores a shift in adversary tactics, where incident response tools are weaponized to establish persistent footholds in victim networks. Understanding how these tools are being misused is crucial for developing effective detection and mitigation strategies.

Rapid7 has provided guidance on identifying and mitigating potential Velociraptor abuse, noting that the tool is designed to generate detectable indicators of compromise (IoCs) when misused. However, Rapid7 acknowledged that attackers could modify the open-source tool to remove these IoCs. In such cases, organizations should flag unsigned binaries or those signed by entities other than Rapid7.

In response to the reported attacks, Rapid7 emphasized that they had implemented detections for Velociraptor-related misuse. Christiaan Beek, Rapid7’s senior director of threat analytics, highlighted that the observed attacks involved downloading a Velociraptor binary and specifying a C2 server in the configuration file. This allowed attackers to communicate with the C2 server, download additional files, and execute commands on the compromised system.

To detect and mitigate Velociraptor misuse, organizations should:

  • Verify the legitimacy of Velociraptor instances within their environments.
  • Analyze endpoint logs for newly created services or scheduled tasks associated with “velociraptor.exe.”
  • Restrict the execution of unknown Velociraptor binaries.
  • Implement real-time ransomware intelligence and cyber threat intelligence platform, to monitor for related IOC’s, tactics, techniques, and procedures (TTPs)

Practical Takeaways and Actionable Advice

Here are some specific steps that both technical and non-technical stakeholders can take to address the risk of legitimate tools being abused for malicious purposes:

For Technical Readers:

  1. Implement application control: Use application control solutions to allow only approved and signed executables to run on your systems. This can prevent attackers from deploying modified versions of Velociraptor or other legitimate tools.
  2. Monitor for unusual process behavior: Implement endpoint detection and response (EDR) solutions and configure alerts for unusual process behavior, such as “velociraptor.exe” spawning command-line interpreters or connecting to unfamiliar external IP addresses.
  3. Patch Management: Regularly apply security patches and updates to software and operating systems to address known vulnerabilities that threat actors could exploit to gain initial access.
  4. Implement Network Segmentation: Divide the network into smaller, isolated segments to limit the lateral movement of threat actors once they have gained access to one segment. This can help contain the spread of ransomware or other malicious activities.
  5. Review and harden configurations: Regularly review the configurations of DFIR and other security tools to ensure they are not vulnerable to privilege escalation or other security flaws. Follow vendor-recommended hardening guidelines.

For Non-Technical Readers:

  1. Promote security awareness: Educate employees about the risks of social engineering, phishing, and other common attack vectors. Emphasize the importance of verifying the authenticity of emails and attachments before clicking on links or opening files.
  2. Enforce strong password policies: Implement and enforce strong password policies that require employees to use complex passwords, change them regularly, and avoid reusing passwords across multiple accounts.
  3. Establish incident response plan: Develop and regularly update an incident response plan that outlines the steps to be taken in the event of a security breach or ransomware attack. Ensure that all employees are familiar with their roles and responsibilities.
  4. Invest in cybersecurity insurance: Consider purchasing cybersecurity insurance to help cover the costs of incident response, data recovery, legal fees, and other expenses in the event of a ransomware attack or other cyber incident.
  5. Prioritize cyber threat intelligence: Understanding threat actors’ TTPs will aid in the implementation of monitoring and alerting rules. Consider dark web monitoring service, telegram threat monitoring, underground forum intelligence, and brand leak alerting, to assist in identifying potential threats.

How PurpleOps Can Help

PurpleOps offers a range of services to help organizations defend against these attacks, including:

  • Cyber Threat Intelligence Platform: Providing real-time ransomware intelligence and comprehensive cyber threat intelligence to stay ahead of threat actors. Proactively identify potential threats and vulnerabilities in your environment.
  • Breach Detection: Our breach detection capabilities can help you identify malicious activity, including the misuse of legitimate tools like Velociraptor, early in the attack chain.
  • Incident Response: Our experienced incident response team can help you contain, eradicate, and recover from ransomware attacks and other security incidents.
  • Supply Chain Risk Monitoring: Assessing and mitigating risks associated with third-party vendors and supply chain partners, including the potential for compromised software or tools.
  • Dark Web Monitoring: Monitor the dark web for mentions of your organization, leaked credentials, and other information that could be used in attacks.

By leveraging PurpleOps’ expertise and services, organizations can improve their ability to detect, respond to, and prevent attacks involving the misuse of legitimate tools.

To learn more about how PurpleOps can help you protect your organization from these types of attacks, explore our platform.

For more information on our services, visit: PurpleOps Solutions

We also offer specialized security assessments such as Red Team Operations and .

Additionally, we provide Supply Chain Information Security and ransomware protection services. We also offer Dark Web Monitoring solutions and Cyber Threat Intelligence services.

FAQ

Q: What is CVE-2025-6264?

A: CVE-2025-6264 is a privilege escalation vulnerability in older versions of the Velociraptor DFIR tool that allows attackers to gain complete control over compromised endpoints.

Q: What is Storm-2603?

A: Storm-2603 is a China-based threat group known for exploiting SharePoint vulnerabilities and deploying ransomware.

Q: How can I detect if Velociraptor is being misused in my environment?

A: Verify the legitimacy of Velociraptor instances, analyze endpoint logs for suspicious activity, and restrict the execution of unknown Velociraptor binaries.

Q: What steps can I take to mitigate the risk of legitimate tools being abused?

A: Implement application control, monitor for unusual process behavior, enforce strong password policies, and develop an incident response plan.