Hackers are exploiting Velociraptor, Cloudflare Tunnels, and VS Code SSH to achieve covert persistence in corporate networks. Find out how to defend against “living off the land” attacks.
During a routine investigation into a ransomware attack, the Microsoft DART (Detection and Response Team) uncovered a much more complex operation. The attack group tracked as Storm-2603, had compromised on-premises SharePoint servers that had been under attack since mid-2025 and subsequently built a multi-layered system for persistent access using exclusively legitimate and trusted tools.
Even more alarming was the discovery that a second, independent attacker was simultaneously operating within the same compromised environment—using different techniques, including malicious DLL sideloading and custom backdoors. The presence of two overlapping campaigns significantly complicated both the detection and attribution of the attack.
How the Attack Worked
Storm-2603 based its operation on the exploitation of tools that security teams typically consider trustworthy:
- Velociraptor — an open-source forensic tool run with SYSTEM privileges to map the compromised environment. Its presence on the network does not raise suspicion, as it is also used by legitimate security teams as standard
- Cloudflare Tunnels — allowed the attackers to route communication through a trusted third party and bypass conventional network monitoring
- Zoho Assist — a remote access tool that creates an additional redundant channel
- VS Code SSH — SSH connections via Visual Studio Code as an additional backup access point
The combination of these channels ensured that even if one access point was discovered and blocked, the attackers maintained their presence on the network through the others.
After gaining access, the attackers escalated their privileges by creating new local and domain administrator accounts. They also exploited a vulnerable driver to manipulate system memory and disable security tools.
Why This Is Dangerous
This campaign illustrates a growing trend: attackers are relying less and less on their own malware and are instead exploiting tools that already exist in the environment or that security teams actively use. This approach—known as “living off the land”—significantly complicates detection, as the malicious activity is indistinguishable from normal administrative activity at first glance.
Furthermore, the simultaneous presence of two independent attackers in a single environment indicates that compromised systems are actively being shared or sold among groups on the dark web.
What to Do
Microsoft and its DART team recommend:
- Prioritize patching systems accessible from the internet — SharePoint and other on-premises servers are often the first point of entry
- Strengthen identity security—the misuse of login credentials played a key role in privilege escalation
- Monitor the use of tools such as Velociraptor, VS Code, Zoho Assist, and tunneling services—legitimate software can be a silent indicator of a compromise
- Deploy endpoint protection across the board and centrally store telemetry
- Have a tested Incident Response plan ready for immediate activation
