Cybersecurity researchers have called attention to a cyber attack in which unknown threat actors deployed an open-source endpoint monitoring and digital forensic tool called Velociraptor, illustrating ongoing abuse of legitimate software for malicious purposes.
“In this incident, the threat actor used the tool to download and execute Visual Studio Code with the likely intention of creating a tunnel to an attacker-controlled command-and-control (C2) server,” the Sophos Counter Threat Unit Research Team said in a report published this week.
While threat actors are known to adopt living-off-the-land (LotL) techniques or take advantage of legitimate remote monitoring and management (RMM) tools in their attacks, the use of Velociraptor signals a tactical evolution, where incident response programs are being used to obtain a foothold and minimize the need for having to deploy their own malware.
Further analysis of the incident has revealed that the attackers used the Windows msiexec utility to download an MSI installer from a Cloudflare Workers domain, which serves as a staging ground for other tools used by them, including a Cloudflare tunneling tool and a remote administration utility known as Radmin.
The MSI file is designed to install Velociraptor, which then establishes contact with another Cloudflare Workers domain. The access is then leveraged to download Visual Studio Code from the same staging server using an encoded PowerShell command and execute the source code editor with the tunnel option enabled in order to allow both remote access and remote code execution.
The threat actors have also been observed utilizing the msiexec Windows utility again to download additional payloads from the workers[.]dev folder.
“Organizations should monitor for and investigate unauthorized use of Velociraptor and treat observations of this tradecraft as a precursor to ransomware,” Sophos said. “Implementing an endpoint detection and response system, monitoring for unexpected tools and suspicious behaviors, and following best practices for securing systems and generating backups can mitigate the ransomware threat.”
The disclosure comes as cybersecurity firms Hunters and Permiso detailed a malicious campaign that has leveraged Microsoft Teams for initial access, reflecting a growing pattern of threat actors weaponizing the platform’s trusted and deeply embedded role in enterprise-focused communications for malware deployment.
These attacks begin with the threat actors using newly created or compromised tenants to send direct messages or initiate calls to targets, impersonating IT help desk teams or other trusted contacts to install remote access software like AnyDesk, DWAgent, or Quick Assist, and seize control of victim systems to deliver malware.
While similar techniques involving remote access tools have been linked to ransomware groups like Black Basta since mid-2024, these newer campaigns forgo the preliminary email bombing step and ultimately make use of the remote access to deliver a PowerShell payload with capabilities commonly associated with credential theft, persistence, and remote code execution.
“The lures used to initiate engagement are tailored to appear routine and unremarkable, typically framed as IT assistance related to Teams performance, system maintenance, or general technical support,” Permiso researcher Isuf Deliu said. “These scenarios are designed to blend into the background of everyday corporate communication, making them less likely to trigger suspicion.”
It’s worth noting that similar tactics have been employed to propagate malware families like DarkGate and Matanbuchus malware over the past year.
The attacks also serve a Windows credential prompt to trick users into entering their passwords under the guise of a benign system configuration request, which are then harvested and saved to a text file on the system.
“Microsoft Teams phishing isn’t a fringe technique anymore — it’s an active, evolving threat that bypasses traditional email defenses and exploits trust in collaboration tools,” security researchers Alon Klayman and Tomer Kachlon said.
“By monitoring audit logs like ChatCreated and MessageSent, enriching signals with contextual data, and training users to spot IT/help desk impersonations, SOC teams can close this new gap before it’s exploited.”
The findings also follow the discovery of a novel malvertising campaign that combines legitimate office[.]com links with Active Directory Federation Services (ADFS) to redirect users to Microsoft 365 phishing pages that are capable of harvesting login information.
The attack chain, in a nutshell, begins when a victim clicks on a rogue sponsored link on search engine results pages, triggering a redirect chain that ultimately leads them to a fake login page mimicking Microsoft.
“It turns out the attacker had set up a custom Microsoft tenant with Active Directory Federation Services (ADFS) configured,” Push Security’s Luke Jennings said. “This means Microsoft will perform the redirect to the custom malicious domain.”
“While this isn’t a vulnerability per se, the ability for attackers to add their own Microsoft ADFS server to host their phishing page and have Microsoft redirect to it is a concerning development that will make URL-based detections even more challenging than they already are.”
Update
Following the publication of the story, cybersecurity firm Rapid7 shared the below statement with The Hacker News –
Rapid7 is aware of reports describing the misuse of the open-source Velociraptor incident response tool by malicious actors. Velociraptor is widely used by defenders for legitimate forensic and response workflows, and, just like many other security and administrative tools, it can also be abused when in the wrong hands.
The company has also published a document that outlines how organizations can detect the misuse of Velociraptor in their environments –
- The modification time for the Windows Registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplicationVelociraptor
- the binary logs the command line arguments used into the Application event log with an event id of 1000
- Execution of unsigned binaries in the environment, indicating the presence of a modified version of the open-source tool
(The story was updated after publication on September 3, 2025, to include a response from Rapid7, which maintains Velociraptor.)
