Overview

• Cisco Talos reports attackers installed Velociraptor v0.73.4.0 vulnerable to CVE‑2025‑6264, using it for stealthy persistence and control during intrusions.
• Talos assesses with medium confidence that the activity ties to Storm‑2603, with ransomware observed as LockBit on Windows using a Warlock‑style “.xlockxlock” extension and Babuk on ESXi.
• Investigators observed creation of local admin accounts synced to Entra ID, access to VMware vSphere, Impacket smbexec‑style remote execution, scheduled tasks, and Microsoft Defender disablement via GPO changes.
• Sophos describes staging from a Cloudflare Workers domain using msiexec, installation of Velociraptor, and a Visual Studio Code service configured as a tunnel to the C2, followed by additional malware downloads.
• Talos details pre‑encryption exfiltration and a fileless PowerShell encryptor generating random AES keys per run, while separate Huntress research highlights large‑scale Nezha abuse after log poisoning and China Chopper web shells, with clients seen on over 100 machines.