Anatomy of the Storm-2603 Velociraptor Compromise: Three CVEs, One Killchain

1. The setup: why the IR fleet is the new initial-access prize

Velociraptor was built to give defenders God-mode over a fleet of endpoints. That is exactly why an attacker wants it. An incident-response platform is privileged-by-design: it deploys a SYSTEM-running client to every box, ships a server that holds private keys for fleet-wide command, and exposes a Turing-complete query language (VQL) that can read memory, snapshot processes, harvest registry hives, exfiltrate files, and drop binaries. None of that is a vulnerability. It is the product.

Which means the threat model is inverted. A normal application asks "how do I keep an attacker out?" An IR platform has to ask "how do I keep an attacker who gets in from owning every endpoint I was supposed to defend?" If you 0wn the IR fleet, you 0wn the response. You read every artifact collection before the analyst does. You rewrite the timeline. You push a hunt that quietly disables Sysmon. You stage your ransomware as a Velociraptor artifact and let the DFIR tool ship it for you, signed and trusted.

In August 2025 a financially-motivated cluster Microsoft tracks as Storm-2603, the operators behind the Warlock ransomware brand, did exactly that. They turned Velociraptor — the customer's own DFIR tool — into the dropper, the C2, and the persistence mechanism for ransomware deployments across multiple victims. This post breaks down how, by which CVEs they chained, what the patches actually closed, and where defenders are still blind even after patching.

2. August 2025: Talos and Huntress reveal the pattern

The first public artifact was Cisco Talos's blog "Velociraptor leveraged in ransomware attacks", which dropped in early September 2025 after multiple victim engagements. Talos described an attack pattern they had not seen before: a victim's own deployed Velociraptor server was being used as the initial post-exploitation hub. The attackers were not bringing their own Cobalt Strike. They were not deploying their own RMM. They were running the customer's DFIR tool against the customer's fleet.

Huntress followed within weeks with Part II — "Eye of the Storm", a detailed forensic writeup of the same actor, with corroborating IOCs. The Huntress data is what nailed the attribution to Storm-2603 / Warlock and surfaced the Cloudflare Workers redirectors (update.githubtestbak.workers.dev, chat.hcqhajfv.workers.dev, royal-boat-bf05.qgtxtebl.workers.dev) that are now baked into our scanner's IOC list.

The reconstructed timeline looks like this:

• T-90 days: Initial access via an unrelated edge appliance vulnerability (the actor is opportunistic and does not require Velociraptor for ingress).
• T-30 to T-7 days: Internal reconnaissance discovers the victim runs a Velociraptor master, often on TCP 8889, often without SSO in front of it. The actor confirms a fleet GUI version below 0.74.3 — the CVE-2025-6264 window.
• T-0: Authentication-light entry to the Velociraptor frontend. The actor submits an artifact collection that uses VQL primitives reserved for break-glass admin (we discuss Generic.Client.VQL and Admin.Client.UpdateClientConfig below). Because Velociraptor's artifact-collection model treats VQL as "trusted code authored by a trusted analyst," the collection runs as SYSTEM on every endpoint targeted.
• T+hours: The actor pushes a follow-on artifact that rewrites client.config.yaml to point server_urls at one of their *.workers.dev redirectors. The fleet is now reporting to attacker C2 instead of the customer SOC. The DFIR tool is the attacker's tool.
• T+24-72h: Ransomware deployment via the same Velociraptor artifact-collection channel. Encryption commands ship signed by Rapid7 / Velocidex (because they are running inside the legitimate signed binary). Quarantine commands from "the SOC" are actually attacker no-ops.

Subsequent corroborating coverage from Help Net Security, Sophos's X-Ops blog, Fortra, and an advisory from the Singapore Cyber Security Agency confirmed the pattern across additional victims by Q4 2025. By early 2026, "abuse a stale Velociraptor fleet" had moved from a Storm-2603 signature into a generally-imitated playbook.

3. The three CVEs and how they chain

Three CVEs do most of the heavy lifting in the Storm-2603 chain. None of them is individually catastrophic on a hardened fleet. Stacked, they collapse the entire DFIR plane. Our ENDPOINT-DFIR-VR-CHAIN-* scanner family detects the precondition state for each of the three on a customer's deployed Velociraptor master, with read-only probes only — no enrolment packet sent, no notebook executed, no binary swapped.

3.1 CVE-2025-6264: stale GUI to fleet RCE

Affected: Velociraptor server < 0.74.3. Vector: Authenticated artifact-collection abuse on the fleet GUI. Severity: Critical — every endpoint in the fleet, with SYSTEM-class execution.

This is the CVE the Talos writeup centred on. The vulnerable GUI accepts artifact-collection submissions whose VQL body invokes primitives that should be admin-only — execve(), Generic.Client.VQL, Admin.Client.UpdateClientConfig — without checking whether the submitting role carries the EXECVE permission. Once the collection schedules, the artifact runs as the Velociraptor service on every targeted endpoint. The blast radius is the fleet.

Why "authenticated" is doing little work here. The Storm-2603 cluster has shown two paths to first authentication: phished SOC analyst credentials (cheap, plentiful) and the basic-auth realm Velociraptor that ships when an operator does not put OIDC/SSO in front of the GUI. A basic-auth realm, exposed to the internet, with no MFA, in front of a tool that grants SYSTEM on every box, is a default configuration as recently as 0.73.x.

What the patch fixed. Velociraptor 0.74.3 (and the LTS line that followed) gates the dangerous VQL primitives behind a discrete EXECVE permission, separate from notebook authoring. The default analyst role does not carry EXECVE. Break-glass-only.

What our scanner detects (ENDPOINT-DFIR-VR-CHAIN-FLEET-RCE-001). A four-condition exposure window, all four required:

1. The frontend port (default TCP 8889) is reachable and serves a Velociraptor GUI fingerprint.
2. The TLS leaf cert CN is VelociraptorServer — the canonical default the install ships with.
3. The Angular bundle hash maps to a release strictly less than 0.74.3 (or /api/v1/GetVersion confirms it).
4. WWW-Authenticate advertises Basic realm="Velociraptor" with no OIDC/SAML redirect on /api/v1/GetUserOrgs.

All four together is the configuration Storm-2603 walked into. The probe is a TLS handshake plus three GETs. No artifact submitted. No client enrolled.

3.2 CVE-2026-5329: rogue-client server RCE

Affected: Velociraptor master < 0.76.2 (and not on the 0.75.7+ LTS line). Vector: Malformed client-enrolment packet from a rogue endpoint to the master. Severity: Critical — code execution on the server, not the client.

This is the natural follow-up. Once Talos published, researchers reverse-engineered the enrolment-packet parser and found a deserialization-class flaw in the pre-0.76.2 master. An attacker who can reach the frontend port — including from a compromised client they already own — can send an enrolment packet that triggers code execution on the master itself.

Why this matters in chain: even a customer who patched 0.74.3 promptly, but stayed on 0.75.x mainline before 0.75.7-LTS, is still inside the rogue-client window. And once you own the master, you do not just collect artifacts — you can silently rewrite forensic evidence before it lands in the artifact store. Incident response on top of a compromised master is structurally impossible. You are reading the attacker's curated highlight reel.

What the patch fixed. 0.76.2 reworks the enrolment-packet parser to validate the client cert chain and packet schema before any deserialization. The 0.75.7-LTS backport applies the same fix on the conservative line.

What our scanner detects (ENDPOINT-DFIR-VR-CHAIN-ROGUE-CLIENT-002). The vulnerable version range, full stop. We fingerprint via /api/v1/GetVersion (read-only, never authenticated) with the Angular bundle hash as fallback, and apply the version predicate < 0.76.2 AND NOT (0.75.7+ on the 0.75 line). No enrolment packet is ever sent.

3.3 CVE-2026-6290: multi-tenant query() ACL bypass

Affected: Velociraptor server < 0.76.3, multi-tenant deployments only. Vector: Investigator-role notebook query reaches across org_id boundary. Severity: High — cross-tenant data leak in MSSP and shared-DFIR shops.

This one is narrower in surface but a regulatory grenade. MSSPs and large DFIR consultancies often run a single Velociraptor master across many customer organizations, with org_id-keyed isolation. CVE-2026-6290 is an ACL bypass in the notebook query() resolver: an investigator-role user in org A can submit a notebook whose VQL references artifacts collected in org B and the resolver returns the rows.

For an MSSP, that is customer A's investigator looking at customer B's evidence. SOX, HIPAA, GDPR, and customer-contract NDAs all fire at once.

What the patch fixed. 0.76.3 adds an org_id check at the query() resolver before any artifact-store read.

What our scanner detects (ENDPOINT-DFIR-VR-CHAIN-CROSS-ORG-003). Three preconditions, all read-only:

1. Server version < 0.76.3.
2. Notebook API reachable (/api/v1/GetNotebooks returns non-404).
3. /api/v1/GetUserOrgs returns more than one distinct org_id — i.e. multi-tenant mode is configured.

We never submit a cross-tenant notebook. The fingerprint alone is sufficient to flag the surface; the customer's MSSP tier and patch SLA do the rest.

3.4 The chain in one diagram

[Internet]
    │
    │  Phished SOC creds OR
    │  basic-auth realm="Velociraptor"
    ▼
[Velociraptor GUI < 0.74.3]  ←── CVE-2025-6264 ──────►  Submit Generic.Client.VQL artifact
    │                                                          │
    │                                                          │  artifact runs as SYSTEM
    ▼                                                          ▼
[Master < 0.76.2 / 0.75.7]   ←── CVE-2026-5329 ──────►  Rogue-client enrolment to master RCE
    │                                                          │
    │                                                          │  rewrite artifact store
    ▼                                                          ▼
[Master < 0.76.3, multi-org] ←── CVE-2026-6290 ──────►  Cross-org notebook query()
    │                                                          │
    │                                                          ▼
    │                                              Customer-A evidence to Customer-B account
    ▼
[T1556.009 DFIR tool hijack]
    │
    │  Push Admin.Client.UpdateClientConfig
    │  Rewrite server_urls → *.workers.dev
    ▼
[Fleet C2 = Cloudflare Workers redirector]
    │
    ▼
[Ransomware via signed Velociraptor.exe]

A second supporting CVE worth noting, which our family also detects: CVE-2024-10526 (Synacktiv, late 2024) — a Windows-installer ACL flaw in Velociraptor < 0.73.3 where C:\Program Files\Velociraptor\ grants BUILTIN\Users a write-class right. Any local user can swap the binary and gain SYSTEM at next service restart. Storm-2603 reportedly leaned on this primitive in at least one Talos-documented victim where they did not have direct GUI access but could land a phished user on a fleet endpoint. The Synacktiv writeup is the primary technical reference and remains relevant: a fleet-wide LPE, available to any phished user, lives on every box where a pre-0.73.3 client was installed and never had its install ACL repaired post-upgrade.

4. Beyond the CVEs: VQL primitive abuse

Patching all three CVEs above does not close the harder problem. VQL is Turing-complete. It is a SQL-shaped query language with if, loops via plugin, http_client() for outbound, upload() for exfil, and the ability to invoke execve() (gated post-CVE-2025-0914) or wrap shell-class behaviour through plugin functions like pipeline(), chain(), and the artifact source DSL. An artifact is just a YAML wrapper around a VQL program.

The Storm-2603 actor leaned hard on three "dangerous artifact" primitives that are admin-power-by-design but are not gated separately from normal artifact submission on a default-tuned fleet:

• Generic.Client.VQL. The escape hatch. It accepts an arbitrary VQL body and runs it on every targeted client. There is no narrower-than-RCE way to describe its capability. On a fleet where any analyst with notebook-author rights can submit arbitrary artifacts, Generic.Client.VQL is the fleet-wide RCE primitive. Talos and Huntress both observed Storm-2603 using it as their first post-auth action.
• Admin.Client.UpdateClientConfig. The pinning primitive. It rewrites client.config.yaml on the targeted endpoint, including server_urls. Storm-2603 used this to pivot the fleet from the legitimate master to attacker-controlled *.workers.dev redirectors. After this artifact runs, you cannot remediate from the master — the master is no longer in the conversation.
• Admin.Client.Upgrade. The replacement primitive. It pushes a new client binary and restarts the service. In a Storm-2603 victim documented by Talos, it was used to deploy a re-signed Velociraptor.exe whose Authenticode publisher was not Rapid7 or Velocidex — but most endpoint signing-policy rules allow "any valid Authenticode signature" rather than enforcing a publisher allowlist, so the swap was invisible.

A representative VQL fragment from a Generic.Client.VQL collection in one of the Huntress-documented victims (paraphrased; the real artifact had additional obfuscation):

LET cfg = SELECT OSPath FROM glob(globs="C:/ProgramData/Velociraptor/*.config.yaml")
LET _ = SELECT * FROM execve(argv=["powershell.exe", "-c",
    "Set-Content -Path 'C:/ProgramData/Velociraptor/client.config.yaml' " +
    "-Value (Get-Content $env:TEMP/c.yaml -Raw)"])
SELECT timestamp(epoch=now()) as t FROM scope()

That is twelve lines of YAML wrapping a privileged config rewrite that ships from the customer's own DFIR master, signed by the customer's own infrastructure, dropping a payload the analyst told the tool to drop. Talos and Sophos both narrated SOCs watching this shape go by in their alert queues without flagging it because the VQL is "from our own Velociraptor master" — the canonical trust-by-source failure mode.

The defensive implication: VQL artifact submission must be treated as a privileged operation in its own right, distinct from notebook authoring, distinct from analyst role. A patched Velociraptor still ships Generic.Client.VQL and Admin.Client.UpdateClientConfig because legitimate operators legitimately need them. The CVE patches reduce the population of accounts that can invoke them. They do not eliminate the primitives or audit them. That is on the customer.

Our ENDPOINT-DFIR-VR-CHAIN-DANGER-ART-007 test reads the audit log and flags any collection of those three artifacts by users whose role does not carry EXECVE. In every Talos- and Huntress-documented victim, this audit-log shape was present 24-72 hours before the ransomware deployment. Defenders who had this rule live caught the attack at T+0. Victims who did not found out at T+ransomware.

5. The hunt cadence gap

Even a fully patched Velociraptor fleet — current binary, locked-down ACLs, OIDC in front of the GUI, dangerous artifacts permission-gated — has a structural blind window that no CVE patch addresses. Velociraptor is not a continuous-monitoring tool. It is hunt-on-demand. An operator launches a hunt, the fleet runs the artifact at that moment, results stream back, and then nothing happens until the next hunt fires.

In customer engagements we routinely observe median intervals between operator-launched hunts on the canonical visibility artifacts (Windows.Events.ProcessCreation, Windows.System.Pslist, Windows.Memory.) of more than 24 hours. On endpoints where Velociraptor is the only* visibility tool — no Sysmon, no Defender ATP, no Wazuh agent — the fleet is blind to in-memory tradecraft for the entire interval. Storm-2603 profiled hunt cadence in at least two Huntress-documented victims and timed reflective loads, process hollowing, and the Admin.Client.UpdateClientConfig rewrite to fire inside the gap.

T1620 (Reflective Code Loading) and T1055.001 (Dynamic-link Library Injection) are the canonical techniques that exploit this window. Both are invisible to a tool that snapshots process state at hour T and then again at hour T+26.

Our ENDPOINT-DFIR-VR-CHAIN-HUNT-GAP-008 test computes the per-host median visibility-hunt interval from the audit log and cross-references the asset inventory for a co-installed continuous-EDR agent. A FAIL fires when both conditions hold: median visibility-hunt interval > 24 hours AND no Sysmon / Defender ATP / Wazuh / CrowdStrike / SentinelOne / Elastic Agent on the host. This is not a CVE. It is a deployment-shape finding, and it is one of the highest-frequency findings we surface on customers who treat Velociraptor as a replacement for, rather than a complement to, continuous EDR.

6. Defenders' response: what to do today

The patch order is the easy part. Every customer reading this should have already moved to Velociraptor server >= 0.76.3 and client >= 0.73.3. If not, schedule the upgrade this week. Beyond patching, the operational hardening list:

• Pin client.config.yaml. Lock the file to SYSTEM-only on Windows (icacls <path> /inheritance:r /grant SYSTEM:F /grant Administrators:F) and 0600 root-owned on Linux. Storm-2603's Admin.Client.UpdateClientConfig rewrite only works if the target file is writable by the agent process; tightened ACLs neutralize it.
• Gate VQL artifact submission to an approved registry. Maintain a customer-signed list of approved artifact YAMLs, hashed at commit time. Reject any artifact whose YAML hash is not in the registry. The Velocidex Exchange manifest is a starting point but is not, in itself, a security boundary.
• Monitor Authenticode chain on MSI distribution. Add a WDAC or AppLocker rule that requires Velociraptor.exe to be signed by Rapid7 LLC or Velocidex Innovations Pty Ltd. Block the binary on any other publisher CN. The Storm-2603 re-signed installer Talos documented would have been blocked by a single AppLocker entry.
• Run continuous EDR alongside Velociraptor, not as a replacement. Sysmon at minimum on every endpoint where Velociraptor is the named visibility tool. Production fleets should add Defender for Endpoint, CrowdStrike Falcon, or SentinelOne. Velociraptor is a DFIR-on-demand tool. It is not a continuous-monitoring tool. The Singapore CSA advisory (AD-2025-013) makes this point explicitly.
• Build the dangerous-artifact SIEM rule. Any collection of Admin.Client.UpdateClientConfig, Generic.Client.VQL, or Admin.Client.Upgrade by a user whose role does not carry the EXECVE permission should fire a Sev-1 alert and require ticket-reference attestation in the notebook description. This is the rule Storm-2603 victims wished they had run.
• Rotate the GUI server cert and every artifact-collection token issued before the upgrade. Talos's writeup is explicit that long-lived API tokens were re-used by Storm-2603 to maintain access across customer-attempted remediations.
• Front the GUI with an SSO/OIDC reverse proxy. No basic-auth realm, period. The WWW-Authenticate: Basic realm="Velociraptor" shape is the single highest-leverage signal in our scanner — it correlates with every other deployment-hygiene failure.
• **Egress-block *.workers.dev from endpoints that have no business calling Cloudflare Workers.** A perimeter rule deflects the entire Storm-2603 C2 channel even if the agent is hijacked locally.

7. Closing: run the probes against your own fleet

Three CVEs, one VQL abuse pattern, one structural hunt-cadence gap, and a supply-chain installer-signing failure. Stacked, they are how Storm-2603 turned the customer's DFIR tool into the ransomware delivery infrastructure. Patched and hardened, they are an entirely tractable problem — but only if you measure against the actual Storm-2603 chain rather than against a CVE list in isolation.

Our ENDPOINT-DFIR-VR-CHAIN-* family (ten enterprise-tier tests, all read-only, gated through the NDA-engagement agent for the host-shell probes) ships with the May 2026 platform update. The PoC scripts that drive the external probes — version fingerprinting, Angular bundle hash extraction, multi-tenant detection, IOC matching against the Huntress C2 list — will land in core/poc_scripts/wave2/velociraptor/ shortly after this post. Run them against your own deployment. If anything fires, the remediation guidance in each test's remediation_guidance field maps one-to-one to the operational steps in section 6 above.

If you operate a Velociraptor fleet and you have not yet measured your exposure to the Storm-2603 chain on your own infrastructure, consider this post the nudge. The actor is no longer the only one who knows how to chain these.

---

References

1. Cisco Talos. "Velociraptor leveraged in ransomware attacks." September 2025. https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/
2. Huntress. "Eye of the Storm: Storm-2603 Velociraptor Abuse, Part II." October 2025. https://www.huntress.com/blog/abuse-of-velociraptor-storm-2603-ransomware
3. Help Net Security. "Velociraptor abused in ransomware attacks." September 2025. https://www.helpnetsecurity.com/2025/09/03/velociraptor-abused-ransomware-attacks/
4. Sophos X-Ops. "Velociraptor incident-response tool abused for remote access." September 2025. https://news.sophos.com/en-us/2025/09/22/velociraptor-incident-response-tool-abused-for-remote-access/
5. Fortra. "Velociraptor misuse — Storm-2603 analysis." Q4 2025. https://www.fortra.com/blog/velociraptor-misuse-storm-2603
6. Singapore Cyber Security Agency. "AD-2025-013 — Advisory on Velociraptor abuse by Storm-2603." 2025. https://www.csa.gov.sg/alerts-and-advisories/2025/AD-2025-013
7. Synacktiv. "CVE-2024-10526: Velociraptor Windows installer ACL flaw." Late 2024. https://www.synacktiv.com/en/publications/cve-2024-10526-velociraptor-windows-installer-acl-flaw.html
8. NVD. CVE-2025-6264, CVE-2026-5329, CVE-2026-6290, CVE-2025-0914, CVE-2024-10526.
9. Velocidex. Release notes 0.74.3, 0.75.7-LTS, 0.76.2, 0.76.3. https://docs.velociraptor.app/blog/
10. MITRE ATT&CK. T1190, T1199, T1068, T1078.003, T1556.009, T1195.002, T1620, T1059.