Velociraptor Incident Response Tool Abused by China Based Threat Actors
In a notable evolution of adversary tradecraft, the Chinese-affiliated threat group known as Storm-2603 has begun abusing Velociraptor — an open-source digital forensics and incident response (DFIR) tool — as part of ransomware operations. Originally intended for defenders to monitor endpoints and investigate security incidents, Velociraptor has been repurposed by attackers to sustain stealthy, persistent access within victim networks.
Storm-2603 first emerged publicly in July, exploiting a series of SharePoint vulnerabilities in an operation dubbed “ToolShell.” Through the vulnerability chain, threat actors gained initial footholds in SharePoint servers, then moved laterally across the environment and ultimately deployed Warlock ransomware. In a more recent incident (August), Cisco Talos researchers observed a more complex intrusion: the attackers deployed three different ransomware variants to VMware ESXi servers — Warlock, LockBit, and Babuk — within the same campaign. Alongside the ransomware payloads, the adversary installed a vulnerable version of Velociraptor (v0.73.4.0) that contains a privilege escalation vulnerability (CVE-2025-6264), enabling arbitrary command execution and endpoint takeover.
In effect, the attackers leveraged Velociraptor as a backdoor: once deployed, it communicated with an attacker-controlled command-and-control (C2) server, downloaded additional payloads, and executed commands — all under the guise of a legitimate tool.
The misuse of Velociraptor is not wholly new. In August, Sophos’ Counter Threat Unit (CTU) documented earlier instances in which attackers used the tool to download and run Visual Studio Code with the apparent aim of establishing tunnels to a C2 server — essentially leveraging VS Code’s remote tunnel features for control. That same research partnership noted that some organisations had extensively deployed Velociraptor across their networks, which increased their exposure when threat actors co-opted those instances for malicious activity.
According to Sophos, the earliest detection of Velociraptor abuse by Storm-2603 dated to 5 August. After the initial public reporting, the group altered its Tactics, Techniques and Procedures (TTPs), including switching to a new C2 domain using Cloudflare’s workers.dev service.
References:
- China Hackers Use Velociraptor IR Tool for Ransomware
- Velociraptor incident response tool abused for remote access – Sophos News
- Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling
UK NCSC Warns of Increased Average Cyber Attacks Up to 4 Per Week
The National Cyber Security Centre has released a report stating that the United Kingdom is now averaging four “nationally significant” cyber-attacks per week. Over the 12-month period ending August 2025, the NCSC handled 204 such incidents—more than double the 89 recorded in the prior year—marking a notable escalation in attack
Of the 204 incidents, 18 were classified as “highly significant”, indicating they had the potential to severely disrupt essential services or infrastructure. This represents nearly a 50 % year-on-year increase in such high-impact cases. In total, over half of all 429 cybersecurity matters addressed by the NCSC required national-level coordination, underscoring the systemic challenge posed to UK security.
A substantial portion of these attacks have been attributed to Advanced Persistent Threat (APT) actors, including either nation-state actors or highly skilled criminal organisations. These adversaries display sophisticated capabilities geared towards targeting vital infrastructure, government systems, and private sector networks. According to the NCSC, the complexity and persistence of these threat actors are growing, thereby increasing the overall risk to the UK’s security apparatus, economy, and essential services.
The data indicate a sharp and sustained upward trajectory in the frequency and intensity of cyber-attacks in the UK. What was once episodic is now approaching normalisation: four significant attacks per week is a worrying baseline for a developed nation’s cyber posture.
The nature of the threats — involving APTs and targeting critical infrastructure — suggests we are entering a phase in which cyber conflict is more structural and less episodic. The demand for constant vigilance, inter-sector coordination, and proactive defence is now the standard, not the exception.
In summary, the United Kingdom is facing a rapidly evolving cyber threat landscape in which attacks are more frequent, more severe, and more capable. Without urgent and coordinated action across government, industry, and organisational leadership, the risk to national infrastructure, service continuity, and economic stability will continue rising.
References:
- NCSC Warns of UK Experiencing Four Cyber Attacks Every Week
- UK experiencing four ‘nationally significant’ cyber… – NCSC.GOV.UK
F5 BIG-IP Environment Breached by Unknown Nation-State Threat Actor
In October 2025, F5 Networks disclosed a serious security breach in which a sophisticated nation-state actor gained long-term, persistent access to portions of its development and engineering environment. The attacker was able to exfiltrate source code, internal documentation about ongoing mitigations, and some customer configuration files for F5’s flagship product line, BIG-IP.
F5 became aware of the intrusion in August, at which point it revealed that the actor had compromised systems related to product development and knowledge-management platforms. The attack did not appear to extend to F5’s customer relationship management, financial systems, support systems, or the iHealth domain, nor did it impact NGINX’s source code or that product’s development environment (NGINX being a separate F5 acquisition).
While F5 claims there is no evidence of modifications to its supply chain, build pipelines, or release processes, it does acknowledge that the threat actor accessed code and internal mitigation details. The stolen material included ‘some customer configuration and implementation information’ (but on a “small percentage” of customers). F5 is actively reviewing which customers may have been affected and notifying them as appropriate.
Although F5 states it has no knowledge of undisclosed critical vulnerabilities being exposed or actively exploited, the wider security community remains concerned that exfiltrated architectural and code data may be weaponised in future attacks—especially against organisations using BIG-IP appliances.
While F5 declined to name a specific threat actor, commentators pointed to historical connections and prior targeting of F5 infrastructure, with China being cited as a possible suspect. The stealth and long dwell time observed in the attack emphasise the advanced sophistication and patience of the threat actor.
This breach represents a particularly high-risk scenario: full access to development and engineering environments provides attackers with raw material to craft future zero-days or to facilitate downstream compromises of customers.
References:
- F5 BIG-IP Environment Breached by Nation-State Actor
- Inside the F5 Breach: What We Know and Recommended Actions
- F5 Breached – Hackers Stole BIG-IP Source Code and Undisclosed Vulnerabilities Data
Get Norm’s threat bulletin direct to your inbox
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
