Velociraptor
Velociraptor is a legitimate open-source digital forensics and incident response (DFIR) tool that threat actors have repeatedly abused as a post-compromise backdoor and command-and-control framework. Across the provided reporting, attackers used Velociraptor to execute commands, collect artifacts, remotely control endpoints, maintain persistence, and establish covert access channels, including Visual Studio Code tunnels and Cloudflare-backed tunnel infrastructure. Multiple reports describe deployment of Velociraptor as an MSI payload, often using outdated version 0.73.4/0.73.4.0, and configuring it to communicate with attacker-controlled infrastructure such as Cloudflare Workers domains. Reported examples include use by the Warlock ransomware ecosystem and the actor tracked as GOLD SALEM / Storm-2603, including intrusions involving SharePoint ToolShell exploitation, SmarterMail exploitation, and SolarWinds Web Help Desk exploitation. In these cases, Velociraptor was used to maintain access, stage ransomware deployment, and in some incidents directly support Warlock, LockBit, or Babuk ransomware operations. Additional reporting links Velociraptor abuse to The Gentlemen ransomware-as-a-service operation as part of its broader intrusion toolkit. Observed behaviors include installation as a Windows service, use as the primary C2 framework, downloading and launching Visual Studio Code with tunneling enabled, and acting as a tunnel to C2. High-confidence infrastructure and configuration details mentioned in the content include server URLs such as velo[.]qaubctgg[.]workers[.]dev, chat.hcqhajfv.workers[.]dev, auth.qgtxtebl.workers[.]dev, and update[.]githubtestbak[.]workers[.]dev, as well as MSI staging locations including files[.]qaubctgg[.]workers[.]dev, royal-boat-bf05.qgtxtebl.workers[.]dev, and Supabase-hosted payloads such as v4.msi. Several reports specifically note attacker use of Velociraptor version 0.73.4 as an outdated release associated in the reporting with CVE-2025-6264.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
11 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Huntress analysts detected an incident where threat actors likely exploited a recently patched remote code execution vulnerability in Windows Server Update Services (WSUS). After gaining initial access via exploitation of the flaw (CVE-2025-59287), the actors then installed Velociraptor... This deserialization issue has previously been exploited by threat actors targeting vulnerable WSUS instances exposed publicly on their default ports; as of October 23, a patch is available from Microsoft.
Velociraptor is a digital forensics and incident response (DFIR) tool that we have seen threat actors abuse recently in attacks in order to set up command-and-control (C2) communications.
Threat actors have started to use the Velociraptor digital forensics and incident response (DFIR) tool in attacks that deploy LockBit and Babuk ransomware.
Velociraptor is a digital forensics and incident response (DFIR) tool that we have seen threat actors abuse recently in attacks in order to set up command-and-control (C2) communications.
Velociraptor is a digital forensics and incident response (DFIR) tool that we have seen threat actors abuse recently in attacks in order to set up command-and-control (C2) communications.
Velociraptor is a digital forensics and incident response (DFIR) tool that we have seen threat actors abuse recently in attacks in order to set up command-and-control (C2) communications.
"CVE-2026-24423... exploits a weakness in the ConnectToHub API method to achieve unauthenticated remote code execution (RCE)."
"CVE-2026-23760 is an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by sending a specially crafted HTTP request."
Huntress reported active exploitation of SolarWinds Web Help Desk vulnerabilities (CVE-2025-26399 and CVE-2025-40551) by unidentified threat actors, deploying remote management tools and Velociraptor for command and control.
Huntress reported active exploitation of SolarWinds Web Help Desk vulnerabilities (CVE-2025-26399 and CVE-2025-40551) by unidentified threat actors, deploying remote management tools and Velociraptor for command and control.
"Shortly after reconnaissance, the attacker deployed Velociraptor, an open-source DFIR platform... its ability to execute commands, collect artifacts, and remotely control endpoints makes it an effective command-and-control (C2) framework when misused."
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In August, CTU researchers observed GOLD SALEM abusing the legitimate open-source Velociraptor digital forensics and incident response (DFIR) tool to establish a Visual Studio Code network tunnel within the compromised environment. Some of these incidents ended in Warlock ransomware deployment.
...followed by dropping additional payloads like Velociraptor and the locker to encrypt files.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
1 technique
Initial Access
After gaining initial access via exploitation of the flaw (CVE-2025-59287), the actors then installed Velociraptor... This deserialization issue has previously been exploited by threat actors targeting vulnerable WSUS instances exposed publicly on their default ports.
Execution
5 techniques
Execution
"the attackers use this tool—designed for incident response—to maintain persistence and 'set the stage' for their ransomware payload."
These tactics are in addition to previous post-exploit tools and techniques used by the group, which included the Velociraptor digital forensics and incident response (DFIR) tool as its primary command-and-control (C2) framework...
After the threat actor installed Velociraptor, we observed a number of base64-encoded PowerShell commands, which were child processes of Velociraptor.exe...
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
5 techniques
Stealth
we observed a number of base64-encoded PowerShell commands, which were child processes of Velociraptor.exe
Since Velociraptor is widely trusted and commonly used by security teams, its presence blended seamlessly with normal administrative behavior, making it an effective cover for malicious activity running in plain sight.
Defense Impairment
1 technique
Defense Impairment
Credential Access
2 techniques
Credential Access
Discovery
4 techniques
Discovery
These commands launched a series of discovery queries, allowing the threat actor to gather information about users, running services, configurations, and more.
The group deployed Velociraptor, a legitimate forensic tool, running it with the highest system privileges to map the environment and collect data.
Command and Control
4 techniques
Command and Control
Velociraptor... was configured to communicate with the endpoint update[.]githubtestbak[.]workers[.]dev .
For remote access and C2, they rely on frameworks like ZeroPulse and Velociraptor, combined with Cloudflare-based tunnels and custom VPN setups to keep stable access into compromised networks.
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A covert remote access/C2 platform used by the operators, including for memory and LSASS dumping, as part of ransomware intrusion workflows.
A legitimate DFIR platform repurposed by the threat actors as their primary command-and-control framework for stealthy persistence and remote operations.
Legitimate DFIR/endpoint visibility tool repurposed by threat actors for command-and-control, persistence, and reconnaissance in intrusions.
Legitimate DFIR/post-exploitation tool abused by attackers for persistence and operational staging in support of ransomware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.