Fast Facts
- In August 2025, attackers used Velociraptor, an open-source digital forensics tool, to download and run malicious software including Visual Studio Code configured to establish remote access to a command-and-control server, aiming to facilitate ransomware deployment.
- The threat actor exploited the Windows msiexec utility to download malicious installers from attacker-controlled Cloudflare Workers domains, which contained Velociraptor and additional malware like Radmin, facilitating stealthy network access.
- Visual Studio Code was installed as a service with its tunnel feature enabled, triggering security alerts that allowed for rapid incident response, which likely prevented the attacker from completing their malicious objectives.
- Organizations should monitor for unauthorized use of Velociraptor and similar tools, employ endpoint detection and response systems, and restrict access to known malicious domains to prevent pivoting to ransomware in similar attacks.
What’s the Problem?
In August 2025, researchers from the Counter Threat Unit™ uncovered a sophisticated cyber intrusion where an attacker exploited the open-source digital forensics tool Velociraptor to infiltrate a network. The attacker’s plan involved using Velociraptor to clandestinely download and run Visual Studio Code with a special tunnel setting enabled, creating a covert link to its command-and-control (C2) server. This activity was detected thanks to a security alert from Taegis™, which flagged the suspicious use of Visual Studio Code’s remote access features—a tactic previously favored by threat groups aiming to gain sustained access with minimal detection. The attacker further utilized the Windows msiexec utility to fetch additional malicious software from a staging server hosted on Cloudflare Workers domains, including tools used for tunneling and remote administration, ultimately aiming to establish persistent control and potentially deploy ransomware.
The incident was reported by Sophos analysts following the alert, who identified that the attacker’s goal was likely to establish a foothold that could facilitate ransomware deployment. By hijacking legitimate tools like Velociraptor and Visual Studio Code, the attacker minimized the chances of early detection, highlighting a disturbing trend where threat actors leverage incident response and remote management tools to covertly access networks. The investigation emphasizes that organizations must vigilantly monitor for unauthorized use of such tools—particularly Velociraptor—and adopt robust security measures like endpoint detection systems, regular backups, and strict access controls. Recognizing and responding swiftly to these indicators can significantly reduce the risk of severe damage, including ransomware attacks, which might follow such covert infiltration efforts.
Security Implications
In August 2025, researchers uncovered a sophisticated cyberattack exploiting legitimate incident response tools like Velociraptor to infiltrate networks and facilitate malicious activities, notably enabling remote access via Visual Studio Code’s tunnel feature. The threat actors employed the Windows utility msiexec to retrieve and install payloads from malicious domains, establishing a command-and-control (C2) infrastructure that supported subsequent malware deployment, including remote administration tools. This covert approach not only minimized suspicion but also heightened the risk of undetected lateral movement, potentially culminating in ransomware deployment if left unchecked. Such incidents exemplify how cyber adversaries opportunistically abuse legitimate tools and cloud infrastructure—like Cloudflare workers—to obscure their malicious footprints, emphasizing the necessity for organizations to vigilantly monitor for unauthorized tool usage, enforce strict access controls, and act swiftly upon detecting suspicious behaviors. Failure to intercept these activities early significantly amplifies the potential damage, which can include data breaches, operational disruptions, and costly ransom payments. Consequently, proactive detection and adherence to security best practices are imperative to preventing malicious intrusions and safeguarding critical assets.
Possible Remediation Steps
Understanding the critical nature of timely remediation in cases like the Velociraptor incident response tool abuse is essential, as delays can lead to widespread security breaches, data loss, and compromised systems. Rapid action helps contain threats, prevent escalation, and restore organizational integrity efficiently.
Mitigation Steps
- Disable compromised accounts and revoke access credentials immediately.
- Isolate affected systems from the network to prevent lateral movement.
- Conduct thorough malware scans and remove malicious files or backdoors.
- Review logs to identify intrusion points and scope of the attack.
- Apply patches and updates to fix known vulnerabilities exploited during the attack.
- Implement network segmentation to limit future attack vectors.
Remediation Actions
- Restore affected systems from clean backups to ensure integrity.
- Strengthen security protocols, including multi-factor authentication.
- Conduct staff awareness training on social engineering and best security practices.
- Monitor systems continuously for unusual activity post-remediation.
- Review and update incident response plans based on lessons learned.
- Engage with cybersecurity experts for in-depth analysis and assistance.
Stay Ahead in Cybersecurity
Discover cutting-edge developments in Emerging Tech and industry Insights.
Access world-class cyber research and guidance from IEEE.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
