Top Highlights
- Sophisticated attackers are exploiting legitimate administrative tools like Velociraptor to establish stealthy Command and Control channels, making detection more difficult as these tools often appear to signal remediation rather than malicious activity.
- Recent campaigns, utilizing vulnerabilities in Microsoft SharePoint (CVE-2025-49706 and CVE-2025-49704), allow attackers to bypass authentication, deploy malicious web shells, and install Velociraptor for lateral movement and persistence.
- The attackers use advanced techniques such as Cloudflare tunnels, digitally signed binaries, and signed PowerShell scripts within Visual Studio Code to evade defenses and mask malicious network activities.
- These operations, linked to the threat group Storm-2603, prominently feature malware delivery, lateral movement, and network domination tactics that leverage valid forensic and admin tools to conceal malicious intent.
Underlying Problem
Recently, a dangerous trend has emerged where cybercriminals are using legitimate administrative tools, like Velociraptor, to hide their malicious activities. This occurred in a campaign during late 2025, where attackers exploited vulnerabilities in widely used enterprise systems, particularly Windows Server Update Services (WSUS) and Microsoft SharePoint. They first bypassed security measures by exploiting specific vulnerabilities (CVE-2025-49706 and CVE-2025-49704), then used SharePoint web shells to gain unauthorized access. Once inside, they installed Velociraptor—an advanced digital forensics tool—as a persistent foothold. This tactic is risky because it confuses defenders; forensic tools typically signal remediation, not attack. Huntress analysts uncovered these activities by investigating multiple incidents, revealing the threat cluster Storm-2603’s methodical approach. The attack involved sophisticated techniques, such as tunneling through Cloudflare and digitally signing binaries, to evade detection. This campaign demonstrated how attackers blend malicious actions with authentic-looking IT activities to stay hidden, complicating traditional security defenses and escalating the threat landscape.
The report underscores that these cybercriminals targeted specific systems through a chain of exploits on SharePoint, enabling them to activate web shells. They then used Velociraptor to download additional tools and establish covert communication channels, like outbound tunnels via Visual Studio Code. These steps allowed them to maintain command over compromised networks while mimicking legitimate activity, thus avoiding alarms. Reporting on these incidents, Huntress observed the attackers’ high level of operational security, including the use of obfuscation techniques like Base64-encoded PowerShell commands. Overall, this evolving threat highlights the need for vigilant security measures, as threat actors increasingly disguise malicious actions within normal administrative workflows, presenting a formidable challenge to defenders.
What’s at Stake?
The issue “Hackers Leverage Velociraptor DFIR Tool for Stealthy C2 & Ransomware Delivery” presents a serious threat to any business. Because hackers exploit legitimate digital forensics and incident response tools like Velociraptor, they can hide malicious activities from detection systems. This means they can maintain covert command and control channels longer, making breaches harder to find. Consequently, ransomware can be delivered quietly, crippling your operations, stealing sensitive data, and causing financial loss. Small businesses may underestimate this threat, but in reality, any organization with digital assets is vulnerable. Without proper cybersecurity measures, your business could suffer severe disruptions, reputation damage, and costly recovery efforts. Therefore, understanding and defending against such tactics is crucial to safeguarding your enterprise’s future.
Possible Next Steps
Timely remediation is crucial when hackers leverage tools like Velociraptor for stealthy command-and-control (C2) communications and ransomware delivery. Rapid response helps contain the threat, prevent data loss, and minimize operational disruption, ensuring that defenses adapt promptly to evolving attack techniques.
Detection Measures
- Continuous monitoring for unusual Velociraptor activity
- Implement threat intelligence to identify known indicators of compromise (IOCs)
Containment Strategies
- Isolate affected systems from the network
- Disable network connections that show malicious communication
Eradication Actions
- Remove malicious Velociraptor artifacts and scripts
- Conduct forensic analysis to understand attack vectors
Recovery Protocols
- Restore systems from clean backups
- Patch vulnerabilities exploited by attackers
Preventive Safeguards
- Strengthen endpoint security controls
- Enforce least privilege policies and role-based access
- Regularly update and patch software to close security gaps
- Conduct user awareness training on security best practices
Stay Ahead in Cybersecurity
Discover cutting-edge developments in Emerging Tech and industry Insights.
Access world-class cyber research and guidance from IEEE.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
