Malware of the Day – Velociraptor as C2

What is Malware of the Day?

 

Lab Setup

Malware: Velociraptor (legitimate tool abused for C2)

MITRE Tactics: TA0011 Command and Control, T1219 Remote Access Software, T1105 Ingress Tool Transfer, TA0003 Persistence, TA0005 Defense Evasion, T1036.005 Masquerading: Match Legitimate Name or Location

Traffic Type: HTTPS

Connection Type: Persistent TCP

C2 Platform: Velociraptor (v0.7.1)

Origin of Sample: Active Countermeasures Threat Hunting Lab

Host Payload Delivery Method: Post-compromise installation via compromised admin credentials

Target Host/Victim: 10.0.0.4 (Windows 11 Pro x64)

Adversary Host: 165.22.159.5 (Ubuntu Linux 22.04)

Beacon Delay: N/A (persistent connection)

Jitter: N/A (persistent connection)

 

 

Malware of the Day Mission

To identify and share examples of post-compromise network activity in order to better detect and respond to potential network threats. Specifically we are looking for Command and Control (C2) communication channels used by attackers to obtain intelligence, issue commands, and exfiltrate data through a compromised host or hosts.

 

Background

Modern threat actors continually evolve their tactics to maintain persistent access to compromised networks while evading detection. After establishing initial access – whether through phishing, exploitation of vulnerabilities, or brute-force attacks – attackers require reliable methods to communicate with compromised hosts, execute commands, transfer files, and maintain a general degree of executive control over their targets.

Traditionally, attackers have relied on purpose-built offensive security tools and custom malware frameworks for Command and Control (C2) operations. These include some known commercial and open-source C2 offerings like Cobalt Strike, Bruce Ratel, Mythic, Sliver etc, as well as Remote Access Trojans (RATs).

But the security landscape has witnessed a shift in recent years towards a more diversified approach. This applies not only to the amount of different applications in the above-mentioned categories, but also to the introduction of altogether new categories.

The main driver of diversification is the widespread adoption of modern Intrusion Detection Systems (IDS) and Endpoint Detection and Response (EDR) solutions. These technologies have been exceedingly good at what they set out to do and so, as these things tend to happen, have served as a sort of “selective pressure” on attackers, forcing them to innovate and find alternative means to reach the same essential ends.

This innovation has materialized in several distinct trends. First, we’ve observed the extensive abuse of Living Off the Land Binaries and Scripts (LOLBins/LOLBAs) – legitimate Windows utilities like PsExec, PowerShell, and WMI that can be repurposed for malicious activities.

Second, threat actors have increasingly turned to Remote Monitoring and Management (RMM) tools such as AnyDesk, TeamViewer, and ScreenConnect, which provide robust remote access capabilities while appearing legitimate to many security solutions.

We’re now witnessing the emergence of a new category of abuse: the weaponization of live forensic and incident response tools. After all, threat actors are ultimately pragmatic – they don’t necessarily care whether a tool is classified as “malware.” What matters is whether it can help them achieve their objectives. Any tool that enables remote influence over a target host fulfills this fundamental requirement.

 

What is Velociraptor?

Velociraptor is an open-source application for endpoint monitoring, digital forensics, and incident response. Designed with scale in mind, it uses a client-server architecture to allow for real-time data collection, analysis, and response across multiple hosts from a central server. This is unlike most forensic tools, which require the collection and consolidation of endpoint data.

But what makes Velociraptor particularly attractive for abuse as a pseudo-C2 framework? The answer lies in its fundamental design philosophy. As stated in the official documentation: “Rather than collecting all the data into a central location and then running queries on that, we push the queries to the endpoints and parse artifacts directly on the endpoint itself.”

In other words, Velociraptor provides exactly what threat actors need: the ability to operate from a remote location and execute commands, interact with data, and maintain control over remote systems. When we strip away the labels and classifications and focus on core functionality, it offers the precise capabilities that attackers require for post-compromise operations.

 

Velociraptor for Command and Control

The potential for Velociraptor’s abuse as a C2 framework first entered the public consciousness through a prescient observation by security researcher @vysecurity – see Image 1 below.

 

While this seed was planted in the collective security consciousness back in 2023, the first confirmed instances of real-world abuse only began emerging in August 2025. The first report came from Sophos Counter Threat Unit (CTU) researchers who discovered Velociraptor being leveraged in an active incident.

In this specific case, the threat actors didn’t fully utilize Velociraptor’s extensive capabilities but rather employed it as a stepping stone. They used the tool to download and execute Visual Studio Code, likely intending to establish a reverse tunnel to an attacker-controlled server for more traditional C2 operations.

Since then, additional reports have surfaced documenting similar abuse patterns. Without getting lost in the specifics of each incident, a clear pattern has emerged: threat actors are pivoting to incident response and forensic tools to establish footholds in networks while minimizing the deployment of traditional malware.

 

How is Velociraptor Used as C2?

Though marketed and designed as a forensic investigation platform, Velociraptor’s architecture inadvertently provides an ideal framework for C2 operations. Its client-server model, combined with encrypted communication channels via HTTPS or WSS, creates a robust and covert communication infrastructure.

Command Execution: Velociraptor’s VQL engine allows operators to execute sophisticated queries on remote endpoints, but more importantly, it provides direct shell access. Attackers can run arbitrary commands through cmd.exe or PowerShell on Windows endpoints, or bash on Linux systems. This capability extends beyond simple command execution – VQL can interact with WMI, access the Windows API, and perform complex operations that rival dedicated offensive frameworks.

File Operations: The platform includes comprehensive file system capabilities that attackers find invaluable. Pattern-based searches, filename queries, and even YARA rule scanning enable threat actors to quickly locate sensitive documents, credentials, or configuration files. The interactive file browser in the GUI allows manual exploration of the remote host’s file system, including deep inspection of NTFS alternate data streams and registry hives.

Bidirectional Data Transfer: Velociraptor facilitates seamless data movement in both directions. Attackers can exfiltrate discovered files, logs, or credentials back to their server, while simultaneously uploading additional tools, scripts, or payloads to the compromised endpoint. The platform’s built-in compression and encryption ensure these transfers blend in with legitimate Velociraptor traffic.

System Profiling and Monitoring: Beyond basic enumeration commands executable through shell access, Velociraptor offers extensive telemetry collection capabilities. It can monitor process creation (with or without ETW), track service modifications, log account authentications (including privileged logons), capture network connections in real-time, and even perform memory analysis. These features provide attackers with deep visibility into the target environment, enabling them to understand security controls, identify additional targets for lateral movement, and monitor for defensive actions.

Persistence Mechanisms: The Velociraptor client is designed to maintain persistent connections and survive reboots, making it an ideal implant. Since it’s typically installed as a service (its default configuration), it automatically starts with the system, reconnects to the server after network interruptions, and can be configured to use multiple server endpoints for redundancy.

Evasion Capabilities: Perhaps most significantly, Velociraptor binaries are digitally signed and recognized as legitimate by most security solutions. They’re whitelisted in many environments where forensic investigations are common. The framework’s ability to throttle its resource usage, schedule operations during specific time windows, and blend its traffic with legitimate HTTPS makes detection particularly challenging.

The platform’s extensibility further enhances its appeal to sophisticated threat actors. Velociraptor’s artifact system allows for custom functionality to be added without modifying the core binary. Attackers with moderate development skills can create custom VQL artifacts for specialized operations, implement new data collection methods, or integrate additional offensive capabilities-all while maintaining the appearance of legitimate forensic activity.

It’s crucial to note that while Velociraptor wasn’t designed with offensive operations or stealth in mind, this actually works to the attacker’s advantage in many scenarios. The tool operates openly, making no attempt to hide its presence or activities. This transparency, paradoxically, becomes a form of camouflage – it’s “hiding in plain sight”. As with LOLBins and legitimate RMM tools, the strategy isn’t to avoid detection entirely but rather to blend in with legitimate activity.

 

Scenario and Setup

In today’s investigation, we’re examining a sophisticated breach at a financial services company where threat actors have leveraged an unconventional approach to maintain persistence. The initial compromise occurred when attackers successfully exploited weak password policies combined with the absence of multi-factor authentication on an administrative account. Through a carefully orchestrated password spraying campaign targeting the company’s VPN portal, they gained legitimate credentials for a domain admin account.

Rather than immediately deploying traditional malware or establishing conventional C2 channels that might trigger security alerts, the attackers took a more subtle approach. They recognized that the organization had recently undergone a security audit and had enhanced monitoring for common C2 indicators. To circumvent these defenses, they deployed Velociraptor, presenting it as a legitimate forensic tool that might be used by the IT security team.

The attackers installed the Velociraptor client on a critical Windows 11 workstation (10.0.0.4) belonging to a senior financial analyst. This host was specifically chosen for its access to sensitive financial data and its regular communication with external services, making unusual network traffic less likely to stand out. The Velociraptor server was hosted on a Ubuntu Linux instance (165.22.159.5) within Digital Ocean’s cloud infrastructure, providing the attackers with a disposable, yet reputable-looking command center.

The deployment was executed during a weekend maintenance window when security monitoring was typically reduced. The attackers configured Velociraptor to run as a Windows service, ensuring persistence across reboots, and used legitimate-looking service names and descriptions to avoid arousing suspicion during routine system audits.

 

Network Traffic Analysis with RITA

Our investigation begins with analyzing the network traffic captured over a 24-hour period using RITA. Almost immediately, a connection from the internal host 10.0.0.4 stands out among the standard business traffic, displaying several characteristics that warrant deeper investigation – see Image 2 below.

 

The connection to 165.22.159.5 immediately draws attention due to its classification as a high-threat severity finding. Interestingly, despite this classification, the connection shows a beacon score of 0%, which initially might seem contradictory.

However, this makes perfect sense when we examine the connection details more closely-this is actually a single, continuous connection lasting an remarkable 23 hours, 59 minutes, and 58 seconds, essentially spanning our entire 24-hour observation window. The persistent nature of this connection is unusual for standard business applications, which typically establish connections as needed and terminate them after completing their tasks.

The connection metadata reveals that communication to this external host was first observed only in the last 24 hours of our monitoring period, triggering RITA’s “First Seen” modifier. This indicator often signals newly established C2 infrastructure, or the recent deployment of malicious tools.

During this extended connection period, approximately 5.93 MB of data was transferred. While this volume isn’t excessive enough to immediately suggest large-scale data exfiltration, it’s substantial enough to indicate active communication beyond simple keepalive packets. This could represent command execution, file transfers, or reconnaissance data being exchanged between the compromised host and the external server.

The communication occurred over TCP port 8000, which adds another layer of interest to our investigation. While not among the most exotic ports we’ve encountered, port 8000 isn’t a standard service port like 80 or 443.

It’s commonly associated with development environments – particularly Python’s SimpleHTTPServer and Django’s development server – but seeing it used for external communication in a production environment raises questions. Legitimate business applications rarely use this port for external communications, making it a clever choice for attackers seeking to avoid port-based filtering while not appearing overtly suspicious.

 

Network Traffic Analysis with AC-Hunter

Transitioning our investigation to AC-Hunter provides additional context and visual analysis capabilities that complement our RITA findings. Given that we’ve identified this as a long connection, we navigate directly to AC-Hunter’s Long Connections module to examine this suspicious communication channel in greater detail – see Image 3 below.

 

AC-Hunter’s interface immediately provides valuable context about our external host. The IP address 165.22.159.5 resolves to infrastructure within the Digital Ocean organization, which we can verify by leveraging AC-Hunter’s integrated reputation checking features. Clicking through to external databases like VirusTotal, AbuseIPDB, and Shodan confirms this attribution.

At first glance, one might feel reassured that the IP belongs to a reputable cloud service provider. However, this should actually heighten our suspicion rather than allay it. Digital Ocean, along with other major cloud providers like AWS, Azure, and Linode, has become increasingly popular among threat actors precisely because of their strong reputation and the ease with which infrastructure can be provisioned and destroyed. These platforms essentially offer disposable, reputable-looking infrastructure that can be spun up in minutes and abandoned just as quickly when operations conclude or detection occurs.

The fact that our compromised host is communicating directly with an IP address rather than a domain name adds another concerning dimension to our investigation. Attackers often do this to avoid DNS lookups in an attempt to reduce their footprint and prevent domain-based blocking. Direct IP communication can also indicate hastily deployed infrastructure where the attackers haven’t bothered to establish domain names, or a deliberate attempt to avoid leaving DNS resolution artifacts that could aid in attribution or timeline reconstruction.

AC-Hunter’s visualization of this connection as a single, unbroken session spanning nearly 24 hours reinforces our concern. Unlike beaconing behavior, which would show periodic connections with sleep intervals, or normal application traffic, which would show multiple shorter connections, this persistent connection suggests a maintained channel designed for real-time interaction – exactly what we’d expect from a remote access tool or C2 framework maintaining an active session.

Unfortunately, the network traffic alone doesn’t provide enough granular detail to definitively identify what type of application is generating this traffic. As the adage in threat hunting goes: “Network for breadth, endpoint for depth.” The network analysis has successfully identified suspicious activity and provided valuable context, but to understand the true nature of this connection, we need to pivot to endpoint analysis.

 

Endpoint Analysis with System Informer

To gain deeper visibility into the suspicious connection, we turn to System Informer (formerly Process Hacker), a powerful Windows system monitoring tool that provides detailed information about running processes, services, and network connections.

Navigating to the Network tab, we search for our connection of interest – 165.22.159.5:8000 – to identify which process is responsible for this persistent communication channel. The search immediately reveals that the process maintaining this connection is Velociraptor.exe, running with Process ID 82328 – see Image 4 below.

 

Double-clicking on the process entry opens a detailed properties window that provides crucial information about this executable – Image 5 below.

 

Several indicators immediately suggest this is a legitimate instance of the Velociraptor forensic tool rather than malware masquerading under its name. The binary has a valid digital signature from the Velociraptor developers (Rapid7), with the certificate chain properly validated by Windows. The process name and image name match exactly what we’d expect for an authentic Velociraptor installation.

Further examination shows the process was spawned by services.exe, indicating it’s running as a Windows service – the standard deployment method for Velociraptor clients. The executable is located in C:\Windows\System32, which is the default installation directory when Velociraptor is deployed in service mode.

While it’s theoretically possible that malware could be injecting into a legitimate Velociraptor process or that a sophisticated threat actor has trojanized the binary while maintaining its digital signature, the evidence strongly suggests we’re dealing with an authentic Velociraptor installation. This leads us to the critical question that will determine whether this is a security incident or a false positive.

 

The Context Question

The pivotal question now becomes: Is Velociraptor a tool sanctioned for use within the organization?

After consulting with the IT security team and reviewing the approved software inventory, we confirm that Velociraptor is not authorized for use in this environment. The security team does not use Velociraptor for incident response or forensic investigations, preferring other commercial solutions. No recent security audits, penetration tests, or forensic investigations involving Velociraptor have been scheduled or conducted.

This revelation immediately elevates our investigation from suspected to confirmed compromise. The presence of an unauthorized forensic tool configured with remote access capabilities, establishing persistent connections to external infrastructure, represents a clear security breach. The probability of compromise has reached the threshold where our role as threat hunters concludes, and we must immediately escalate to the Incident Response team for containment and remediation.

 

Detection and Hunting Recommendations

The abuse of Velociraptor as a C2 framework presents unique detection challenges, but several strategies can help organizations identify and prevent such compromises.

Network-Based Detection:

Monitor for persistent connections to external hosts over non-standard ports, particularly port 8000 or other development-associated ports (8080, 8888, 3000, 5000). While Velociraptor can be configured to use any port, attackers often stick with defaults. Long-duration connections that persist for hours or days, especially to cloud provider IP ranges, deserve immediate investigation.

Pay special attention to connections that were recently established to previously uncommunicated external hosts. RITA’s “First Seen” modifier can help identify newly deployed C2 infrastructure. Even without beaconing behavior, the persistence and duration of connections can be strong indicators of remote access tools.

Endpoint-Based Detection:

The presence of Velociraptor on any system where it isn’t explicitly authorized should be treated as a critical security event. Organizations should maintain strict inventories of approved forensic and administrative tools, with any deviation triggering immediate alerts.

Monitor for the creation of new services, particularly those with names like “Velociraptor,” “velociraptor-client,” or variations thereof. The default service installation creates distinctive artifacts in the Windows registry and event logs that can be used for detection. Process creation events for Velociraptor.exe, especially when spawned by services.exe or running with SYSTEM privileges, should generate high-priority alerts in environments where the tool isn’t authorized.

Behavioral Indicators:

Even in environments where Velociraptor is legitimately used, several behavioral patterns can help distinguish legitimate forensic activity from abuse. Legitimate forensic investigations are typically time-bounded, documented, and involve communication to known infrastructure controlled by the security team or authorized third-party investigators.

Key differentiators include:

• Communication to infrastructure in public cloud providers rather than corporate-controlled servers
• Continuous connections lasting days or weeks rather than discrete investigation periods
• Absence of corresponding incident tickets or investigation documentation
• Velociraptor clients on systems that wouldn’t typically be subjects of forensic investigation
• Data flows that don’t match investigation patterns (steady trickles rather than focused collection periods)

 

Proactive Hardening:

Organizations using Velociraptor legitimately should implement controls to prevent its abuse. All legitimate Velociraptor servers should be hosted on known, documented infrastructure with IP addresses added to allowlists. Network segmentation should prevent Velociraptor clients from communicating with external servers except through documented exceptions.

Consider implementing certificate pinning for legitimate Velociraptor deployments, ensuring clients will only communicate with authorized servers. Regular audits of running services and installed software can identify unauthorized Velociraptor installations before they’re actively used for malicious purposes.

For comprehensive guidance on detecting Velociraptor abuse and distinguishing legitimate from malicious use, Rapid7 (the developers of Velociraptor) have published an excellent guide that provides additional technical indicators and detection strategies.

 

Conclusion

This investigation into Velociraptor’s abuse as a C2 framework illuminates an ironic evolution in the threat landscape – the weaponization of the very tools designed to protect us. As defenders, we must reckon with an uncomfortable truth: the distinction between legitimate administrative tools and malicious software has become increasingly meaningless from a practical detection standpoint.

Just as threat actors adapted to EDR and IDS deployments by embracing LOLBins and RMM tools, they’re now co-opting the specialized tools of incident responders themselves. And this isn’t just ironic – it’s strategically brilliant. What better way to evade detection than to use the very tools that security teams trust and whitelist?

In the current era of “living off the land” and tool abuse, we spend the majority of our time not hunting for things that are definitively malicious, nor dismissing things that are obviously benign, but rather scrutinizing the vast gray area in between. A knife can be a tool or a weapon – its nature is determined not by its form but by its use. The same principle applies to every administrative tool, forensic platform, and system utility in our environment.

This case reinforces several critical lessons for the defensive community. First, we cannot trust software simply because it’s “legitimate” or signed by a reputable vendor. The presence of valid digital signatures, proper service installation, and authentic file properties means nothing if the tool’s use doesn’t align with authorized business purposes. Security isn’t just about preventing malware – it’s about preventing unauthorized use of any software that provides remote access or control capabilities.

Second, the principle of “network for breadth, endpoint for depth” proved invaluable in this investigation. RITA’s network analysis cast the wide net that identified suspicious behavior – a persistent, long-duration connection to cloud infrastructure. AC-Hunter deepened that analysis with additional context. But it was only through endpoint investigation that we could definitively identify the tool in use and determine whether its presence was authorized.

The role of behavioral analysis tools like RITA and AC-Hunter cannot be overstated. These applications excel at identifying anomalies that signature-based detection would miss entirely. Velociraptor’s traffic is encrypted, its binary is signed, and its behavior is “legitimate” from a technical standpoint.

Yet the behavioral anomaly of a 24-hour persistent connection to previously unseen infrastructure provided the crucial first indication of compromise. This behavioral approach scales across any tool abuse scenario – whether attackers use Velociraptor, legitimate RMM tools, or the next generation of repurposed administrative software.

The evolution from traditional malware to LOLBins to RMM abuse to forensic tool weaponization represents a clear trend: attackers will continue to adopt whatever tools provide reliable remote access while minimizing detection risk. As defenders, we must evolve our detection philosophy accordingly. We’re no longer just hunting for malware – we’re hunting for misuse, for anomalies, for activities that don’t align with authorized business purposes regardless of the tools involved.

Ultimately, this investigation serves as both a warning and a roadmap. The warning: assume that any tool capable of remote access or control will eventually be abused by threat actors. The roadmap: through systematic behavioral analysis, layered detection strategies, and a deep understanding of our environment’s legitimate baseline, we can identify and respond to these evolving threats before they achieve their objectives.

 

 

Capture Files

PCAPs

Because… PCAPs, or it didn’t happen. 😊

The following PCAP files are packet captures taken from the same lab environment over a 24-hour time frame. The files were generated using Wireshark from the target host and include normal Windows OS traffic and normal network broadcast traffic. They have not been edited. The PCAPs are safe, standard PCAP files and do not include any actual malware.

Velociraptor 24 Hour Capture
velociraptor_24hr.pcapng
File Size: 1.2 GB
SHA-256 Checksum: 04F81F4B1287FDA2D3929FB9834E717801BE86BDCCA8AB8315F77A0F8D4D50B5

 

Zeek Logs

If you are an AC-Hunter or RITA user, we are providing the 24-hour Zeek logs for you to import directly into AC-Hunter or RITA. The following Zeek Logs have been taken from the same lab environment over a 24-hour time frame and include normal Windows OS traffic and normal network broadcast traffic. They have not been edited. The Zeek logs are safe, standard log files and do not include any actual malware.

Importing Zeek logs into AC-Hunter or RITA example:

ssh into your AC-Hunter or RITA server and upload all the Zeek logs contained in the zip file below (all files that have the ‘.log’ extension) into a temporary directory on the server. In this example, we are uploading the Zeek logs into /tmp/velociraptor_zeek/

Then run the following command:

For AC-Hunter v6.x and RITA v4.x and earlier:

rita import /tmp/velociraptor_zeek/*.log velociraptor

For RITA v5.x+:

rita import --logs=/tmp/velociraptor_zeek/*.log --database=velociraptor

You will now have a new database in the AC-Hunter UI/web interface or RITA CLI titled “velociraptor” you can select and view.

 

Velociraptor 24 Hour Zeek Logs
velociraptor_zeek.zip
Size: 11.7MB
SHA256 Checksum: 8C5B8C83E15BB602122069CB029EEFE0839CDC11E1C2296E25304EF75DF93C3C

 

Discussion

Want to talk about this or anything else concerning threat hunting? Want to share how good (or not so good) other detection tools were able to detect this sample?

You are welcome to join our Discord server titled “Threat Hunter Community” to discuss topics surrounding threat hunting. We invite you to join our server here.