Malicious Actors Exploit Velociraptor Forensic Tool to Launch Visual Studio Code for C2 Tunneling

Cybersecurity experts have highlighted a recent cyber attack involving the misuse of Velociraptor, an open-source endpoint monitoring and digital forensic tool. This incident showcases the ongoing trend of leveraging legitimate software for nefarious purposes. According to a report from the Sophos Counter Threat Unit Research Team, the attackers employed Velociraptor to download and execute Visual Studio Code, likely aimed at establishing a tunnel to a command-and-control (C2) server they controlled. While the use of legitimate remote monitoring and management (RMM) tools is not new in cyber threats, the adoption of Velociraptor represents a significant shift, allowing attackers to gain a foothold without deploying their own malware. Further investigation into the attack has revealed that the perpetrators exploited Wind…

Attackers Exploit Velociraptor Forensic Tool to Deploy Visual Studio Code for Command-and-Control Tunneling

On August 30, 2025, cybersecurity experts unveiled a concerning cyber attack involving the exploitation of Velociraptor, an open-source endpoint monitoring and digital forensic tool. This incident highlights a troubling trend where legitimate software is misused for nefarious purposes. According to a report from the Sophos Counter Threat Unit Research Team, unknown adversaries leveraged Velociraptor to download and execute Visual Studio Code, likely aiming to establish a connection to a command-and-control (C2) server under their control.

The attackers’ choice of Velociraptor reflects a significant shift in tactics, underscoring an evolution in how cybercriminals operate. Traditionally, such actors would tend to rely on malware specifically crafted for their objectives. However, this case marks a new strategy, wherein threat actors utilize existing incident response tools to infiltrate systems, effectively reducing their reliance on deploying custom malware. This method aligns with the so-called living-off-the-land (LotL) approach, where attackers exploit legitimate applications to maintain stealth and blend into normal operations.

Further investigation into the incident has unveiled that the attackers took advantage of the tool’s functionality to bypass security measures intended to detect malicious software. The use of Velociraptor raises alarms not only because it is a valuable asset in digital forensics but also due to its potential as a gateway for unauthorized access when wielded by malicious entities.

This incident underscores the imperative for organizations, particularly those in the United States, to bolster their cybersecurity posture against sophisticated threat actors. Given the nature of the attack, it is likely that the adversaries employed various tactics outlined in the MITRE ATT&CK framework. Initial access through exploiting a publicly available tool demonstrates a calculated approach to gain foothold in target environments.

Moreover, techniques such as persistence and privilege escalation were likely pivotal in maintaining their presence within the network. By establishing a tunnel to their C2 server via a legitimate tool, the attackers not only managed to evade security protocols but also set the stage for further exploitation of the compromised systems.

As businesses continue to adopt and integrate advanced technologies into their operations, the findings from this incident accentuate the vulnerability posed by the misuse of legitimate software. Organizations must remain vigilant and proactive in updating their security frameworks to counter these evolving tactics.

The implications of this attack are profound. Companies must assess their incident response strategies and ensure they are equipped to detect and mitigate potential threats stemming from the misuse of forensic tools. In an age where cybersecurity threats are increasingly sophisticated, understanding the evolving tactics employed by adversaries is integral to safeguarding organizational assets and sensitive data.

Source link

Related Posts

Rethinking Browser Security: Addressing the Threats Posed by Scattered Spider

As businesses increasingly rely on browser-based operations, security teams are confronted with escalating cyber threats. Today, over 80% of security incidents stem from web applications accessed through browsers like Chrome, Edge, and Firefox. A particularly agile adversary known as Scattered Spider (also identified as UNC3944, Octo Tempest, or Muddled Libra) has emerged, targeting sensitive data within these browsers. Unlike infamous cybercriminal groups such as Lazarus Group, Fancy Bear, and REvil, Scattered Spider has honed its methods over the past two years, focusing on the human element and browser environments. If critical information—like your calendar, login credentials, or security tokens—resides in your browser tabs, Scattered Spider is poised to seize it. This article will delve into the attack techniques employed by Scattered Spider and outline strategies to defend against them.

⚡ Weekly Summary: Exploited WhatsApp Vulnerability, Docker Flaw, Salesforce Incident, Fake CAPTCHAs, Spyware App & More

Date: Sep 01, 2025
Category: Cybersecurity News / Hacking

In the evolving landscape of cybersecurity, threats often stem from interconnected vulnerabilities rather than isolated attacks. A single overlooked update or misused account can lead to significant breaches. This week’s updates illustrate how attackers are merging tactics, leveraging stolen access, unpatched software, and innovative methods to escalate from minor entry points to major risks. For security professionals, the takeaway is clear: the real threat often lies in the interplay of various small vulnerabilities rather than a single, major flaw.

⚡ Threat of the Week

WhatsApp Addresses Actively Exploited Vulnerability — WhatsApp has patched a security issue affecting its messaging applications for Apple iOS and macOS, which appears to have been exploited alongside a recently reported Apple flaw in targeted zero-day attacks. The vulnerability, identified as CVE-2025-55177, involves inadequate authorization for linked device synchronization messages. The Meta-owned company…

Silver Fox Exploits Microsoft-Signed WatchDog Driver to Distribute ValleyRAT Malware

Date: September 2, 2025
Categories: Financial Fraud / Endpoint Protection

The threat actor known as Silver Fox has been linked to the exploitation of a previously undetected vulnerable driver associated with WatchDog Anti-malware. This attack, classified as a Bring Your Own Vulnerable Driver (BYOVD) incident, aims to neutralize security solutions on compromised systems.

The specific driver involved, “amsdk.sys” (version 1.0.600), is a 64-bit, validly signed Windows kernel device driver believed to be based on the Zemana Anti-Malware SDK. According to an analysis by Check Point, “This driver, created using the Zemana Anti-Malware SDK, was Microsoft-signed, not included in the Microsoft Vulnerable Driver Blocklist, and evaded detection by community initiatives such as LOLDrivers.”

The attack employs a dual-driver approach, utilizing a known vulnerable Zemana driver (“zam.exe”) for Windows 7 systems, while leveraging the undetected WatchDog driver for Windows 10 and 11 environments. The WatchDog Anti-malware driver has been identified as containing multiple vulnerabilities.

Ukrainian Network FDN3 Conducts Widespread Brute-Force Attacks on SSL VPN and RDP Devices

Date: Sep 02, 2025
Category: Cyber Attack / Botnet

Cybersecurity experts have identified a Ukrainian IP network engaging in extensive brute-force and password spraying campaigns against SSL VPN and RDP devices between June and July 2025. The operations are traced back to the Ukraine-based autonomous system FDN3 (AS211736), according to French cybersecurity firm Intrinsec. “We have high confidence that FDN3 is part of a larger malicious infrastructure that includes two other Ukrainian networks, VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950), as well as a Seychelles-based system, TK-NET (AS210848),” the report stated. “All of these were allocated in August 2021 and frequently exchange IPv4 prefixes to bypass blocklisting and sustain their abusive operations.” AS61432 currently announces a single prefix, 185.156.72[.]0/24, while AS210950 has two prefixes: 45.143.201[.]0/24 and 185.193.89[.]0/24. These autonomous systems were allocated in May…