Velociraptor WSUS Exploitation, Pt. I: WSUS-Up?

Source: Huntress Blog

Author: unknown

URL: https://www.huntress.com/blog/velociraptor-misuse-part-one-wsus-up

ONE SENTENCE SUMMARY:

Threat actors exploited a WSUS vulnerability to install Velociraptor for remote access, increasing incidents of dual-use tool abuse.

MAIN POINTS:

1. In November, threat actors exploited a WSUS vulnerability (CVE-2025-59287) to gain initial access.
2. Velociraptor, an open-source tool, was used for command-and-control (C2) communications.
3. Huntress SOC observed increased misuse of Velociraptor over recent months.
4. The WSUS vulnerability was patched by Microsoft on October 23.
5. Cisco Talos linked Velociraptor activity to a SharePoint vulnerability called ToolShell.
6. Threat actors installed Velociraptor with a malicious MSI from s3.wasabisys.com.
7. PowerShell commands were used post-installation for system discovery.
8. Dual-use tools like Cobalt Strike and Mimikatz have been similarly abused.
9. Velociraptor is part of a larger trend of legitimate tools being misused.
10. Further insights on Velociraptor misuse will continue in part two of the series.

TAKEAWAYS:

1. Vigilance is crucial as legitimate tools like Velociraptor are increasingly misused for attacks.
2. Regular patching can mitigate vulnerabilities, like the recently addressed WSUS flaw.
3. Velociraptor’s use in attacks highlights the need for careful monitoring of network tools.
4. Understanding tool behavior and misuse patterns can enhance incident response strategies.
5. Expect continued evolution in the misuse of dual-purpose open-source tools by threat actors.