In a recent disclosure, Cisco Talos has confirmed that threat actors have now used Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in ransomware attacks. This marks one of the first public attributions of Velociraptor to such malicious activity.
Velociraptor is typically used by security teams to monitor endpoints, collect forensic data, and respond to incidents across Windows, Linux, and macOS systems. What makes the recent attacks notable is how adversaries repurposed the tool to maintain stealthy, persistent access, and to facilitate encryption of systems using known ransomware strains such as LockBit and Babuk.
According to Cisco’s analysis, after an initial breach, attackers installed an outdated and vulnerable version of Velociraptor—specifically, version 0.73.4.0—which is subject to a privilege escalation flaw (CVE-2025-6264). This vulnerability allows a user with “COLLECT_CLIENT” permissions to run arbitrary commands or update configuration, potentially seizing full control of the endpoint.
Once Velociraptor was installed, the attackers used it as a base to deploy ransomware across VMware ESXi virtual machines and Windows servers. Cisco reports that both LockBit and Babuk were successfully deployed in these environments. In some cases, the same campaign also involved the newer Warlock ransomware in combination with LockBit, which is an uncommon pairing.
Cisco Talos attributes this activity with moderate confidence to the threat actor group “Storm-2603.” That attribution is based on overlaps in tactics, techniques, and tools (TTPs) observed in other attacks linked to that group.
Prior Velociraptor misuse and C2 tunneling
Before this ransomware usage, Velociraptor had already come under scrutiny. In August 2025, Sophos reported that adversaries used Velociraptor to download and execute Visual Studio Code (VS Code) in a concealed manner. The intention was to establish a tunnel to a command-and-control (C2) server, using VS Code’s tunneling capabilities. In that case, the attacker used Windows’ built-in msiexec utility to fetch a malicious MSI installer hosted via Cloudflare Workers, then ran it to install Velociraptor. The same infrastructure was later used to deploy VS Code, configured to act as a service and redirect its output, enabling remote access.
The Sophos team warned that unauthorized Velociraptor use should be considered a likely precursor to ransomware, and recommended organizations monitor for unexpected instances of the tool and investigate them promptly.
The CVE-2025-6264 vulnerability
The key enabler for the privilege escalation is CVE-2025-6264, a flaw in Velociraptor’s artifact permission handling. Specifically, Velociraptor allows packaging of VQL queries into “artifacts” which typically run with elevated permissions. The “Admin.Client.UpdateClientConfig” artifact can be collected by users possessing only “COLLECT_CLIENT” rights (such as those in the “Investigator” role). Because this artifact did not require extra permissions, it could be used to alter configurations or execute commands, effectively enabling full control over the client. The vulnerability holds a medium severity rating per Rapid7 and NVD listings (CVSS 5.5).
Rapid7 itself has documented this issue and has provided guidance on mitigating it, including restricting artifact execution and using “basic artifacts” mode to limit risky actions.
Implications for defenders
This development highlights a concerning shift: adversaries are increasingly reusing tools built for defenders—not just for reconnaissance or lateral movement, but directly in the deployment of ransomware. Velociraptor’s accidental misconfiguration or outdated versions can become an active attack vector.
Organizations need to take preventive measures: monitor for unexpected instances of Velociraptor within environments, treat any unauthorized use as suspicious, and ensure that all deployments of the tool are up to date and properly hardened. The use of an endpoint detection and response (EDR) solution and least privilege design are also critical in reducing the window of opportunity for attackers.
