Threat actors are repurposing a legitimate incident response tool to accelerate ransomware operations. According to Cisco Talos, adversaries are deploying an outdated build of the open-source DFIR platform Velociraptor—created by Mike Cohen and maintained by Rapid7—to escalate privileges and orchestrate encryption across Windows and VMware ESXi estates. The campaign blends living-off-the-land tradecraft with abuse of enterprise administration workflows, complicating detection and response.
DFIR tools in offensive operations: the next stage of living off the land
Security teams have long tracked the shift from bespoke malware to trusted binaries and admin utilities. Sophos previously observed operators using Velociraptor to download and run Visual Studio Code on compromised hosts and establish an encrypted tunnel to command infrastructure. This approach leverages legitimate incident response and IT administration tooling to blend into normal operations, reducing telemetry anomalies and increasing attacker dwell time.
Attack chain: Entra ID, vSphere access, and Velociraptor CVE-2025-6264
Cisco Talos reports that intrusions began with the creation of local administrator accounts synchronized with Entra ID (formerly Azure AD). The accounts were used to access the VMware vSphere console and retain control over virtual machines. Attackers then installed Velociraptor 0.73.4.0, a build vulnerable to CVE-2025-6264, a privilege escalation flaw enabling arbitrary command execution and full host takeover. The tool was launched repeatedly and maintained persistence even after host isolation, effectively serving as a lightweight control node on compromised endpoints.
Defense impairment and dual-platform ransomware on Windows and ESXi
Operators systematically weakened protections by disabling Microsoft Defender real-time features via Active Directory Group Policy and turning off behavior and file activity monitoring. Although EDR alerts were triggered, the Windows payload was identified as LockBit, while the encrypted file extension .xlockxlock aligned with the Warlock ransomware family—an indicator of tooling reuse or affiliate cross-pollination. On ESXi hosts, analysts found a Linux binary linked to Babuk. Investigators also observed a fileless PowerShell-based encryptor that generated fresh AES keys at runtime, likely used for rapid data encryption at scale.
Attribution and the ransomware affiliate ecosystem
The activity is tentatively associated with the China-based group Storm-2603 (also tracked as CL-CRI-1040 and Gold Salem). Halcyon assesses the operators as aligned with state interests, previously acting as a LockBit affiliate and connected to the Warlock family. Such hybridization—mixing builders, payloads, and partner infrastructure—helps explain the presence of LockBit, Warlock, and Babuk elements within the same incident.
Detection: IOCs and ATT&CK-informed threat hunting
Cisco Talos has published two IOC sets covering artifacts delivered to victim systems and Velociraptor-related files and traces. Defenders should ingest these indicators into SIEM/EDR and hunt using MITRE ATT&CK techniques including T1078 (Valid Accounts), T1562.001 (Impair Defenses), T1105 (Ingress Tool Transfer), and T1059.001 (PowerShell). Aligning IOC matches with these TTPs raises the probability of early-stage detection and reduces time to contain.
Risk mitigation: hardening Velociraptor, vSphere, and Windows estates
Reduce exposure by upgrading Velociraptor to a current, supported release and removing or blocking Velociraptor 0.73.4.0 and other deprecated builds. Enforce code-signing validation and application allowlisting for IR/admin tools to prevent unauthorized deployments.
Harden identity and access paths: audit Entra ID synchronization for privileged local accounts, enforce MFA and conditional access, and apply least privilege for vSphere administrators. Restrict vSphere API and console access to dedicated management networks with strong network segmentation.
Strengthen endpoint defenses: enable Microsoft Defender tamper protection, monitor and approve GPO changes, and enforce PowerShell Constrained Language Mode where feasible. Expand telemetry with Sysmon, collect process command-line and script block logging, and alert on abnormal use of Velociraptor binaries and tunnels.
Protect data and recovery: maintain offline or immutable backups, test restore procedures, and monitor for suspicious extensions such as .xlockxlock. On ESXi, apply vendor hardening guidance, disable unused services, and restrict shell access.
Adversaries co-opting legitimate DFIR tools underscores a broader trend: ransomware operations increasingly rely on trusted components to evade controls. By rapidly patching Velociraptor deployments, hardening vSphere and identity pathways, and aligning detections to ATT&CK techniques and current IOCs, organizations can shrink attacker dwell time and limit blast radius. Security teams should continuously review admin tooling inventories, lock down update channels, and simulate this attack chain to validate monitoring, prevention, and recovery controls.
