In August 2025, Counter Menace Unit™ (CTU) researchers investigated an intrusion that concerned deployment of the respectable open-source Velociraptor digital forensics and incident response (DFIR) device. On this incident, the menace actor used the device to obtain and execute Visible Studio Code with the doubtless intention of making a tunnel to an attacker-controlled command and management (C2) server. Enabling the tunnel possibility in Visible Studio Code triggered a Taegis™ alert, as this feature can permit each distant entry and distant code execution and has been abused by a number of menace teams up to now.
The menace actor used the Home windows msiexec utility to obtain an installer (v2.msi) from a Cloudflare Employees area (information[.]qaubctgg[.]staff[.]dev). This location seems to be a staging folder for attacker instruments, together with the Cloudflare tunneling device and the Radmin distant administration device. This file put in Velociraptor, which is configured to speak with C2 server velo[.]qaubctgg[.]staff[.]dev. The attacker then used an encoded PowerShell command to obtain Visible Studio Code (code.exe) from the identical staging folder and executed it with the tunnel possibility enabled. The menace actor put in code.exe as a service and redirected the output to a log file. They then used the msiexec Home windows utility once more to obtain extra malware (sc.msi) from the employees[.]dev folder (see Determine 1).
Determine 1: Course of tree exhibiting Velociraptor creating Visible Studio Code tunnel.
The Visible Studio Code tunneling exercise triggered a Taegis alert that prompted a Sophos investigation. The analysts supplied mitigation recommendation that enabled the shopper to shortly implement remediations akin to isolating the affected host, which prevented the attacker from reaching their goals. Evaluation means that the malicious exercise would doubtless have led to ransomware deployment.
Menace actors usually abuse distant monitoring and administration (RMM) instruments. In some cases, they leverage preexisting instruments on the focused techniques. In others, they deploy the instruments through the assault. The Velociraptor incident reveals attackers pivoting to utilizing incident response instruments to realize a foothold in a community and decrease the quantity of malware they deploy.
Organizations ought to monitor for and examine unauthorized use of Velociraptor and deal with observations of this tradecraft as a precursor to ransomware. Implementing an endpoint detection and response system, monitoring for sudden instruments and suspicious behaviors, and following greatest practices for securing techniques and producing backups can mitigate the ransomware menace. The influence of an assault is drastically decreased whether it is caught previous to ransomware deployment.
The next Sophos protections detect exercise associated to this menace:
- Troj/Agent-BLMR
- Troj/BatDl-PL
- Troj/Mdrop-KDK
To mitigate publicity to this malware, CTU™ researchers advocate that organizations use obtainable controls to evaluation and prohibit entry utilizing the indications listed in Desk 1. The domains might comprise malicious content material, so think about the dangers earlier than opening them in a browser.
| Indicator | Sort | Context |
| information[.]qaubctgg[.]staff[.]dev | Area identify | Hosted instruments utilized in August 2025 Velociraptor marketing campaign |
| velo[.]qaubctgg[.]staff[.]dev | Area identify | C2 server utilized in August 2025 Velociraptor marketing campaign |
Desk 1: Indicators for this menace.
