Hackers Abused Velociraptor, Cloudflare Tunnels, Zoho Assist, and VS Code SSH to Stay Inside Networks

Microsoft incident responders found two separate threat actors operating inside the same compromised environment during a ransomware investigation, turning what first looked like a single intrusion into a much broader security case.

The main actor, tracked as Storm-2603, used a mix of legitimate tools and attacker-controlled infrastructure to maintain access. According to a Microsoft Incident Response report, the attackers deployed Velociraptor, Cloudflare tunnels, Zoho Assist, and Visual Studio Code SSH connections to create several persistence channels inside the victim network.

A second, unrelated threat actor was also active at the same time. That group used different methods, including malicious DLL sideloading and custom backdoors, which made the breach harder to understand, detect, and contain.

Microsoft links the case to overlapping intrusion activity

Microsoft’s Detection and Response Team, also known as DART, began the investigation as a ransomware response. The team later found evidence of lateral movement beyond the first environment and into a second organization, where similar ransomware activity was also confirmed.

Storm-2603 had already been associated with attacks on internet-facing on-premises SharePoint servers. In earlier guidance, Microsoft’s SharePoint guidance said the group exploited SharePoint vulnerabilities to deploy ransomware, while other named China-linked actors also targeted exposed SharePoint systems.

In this newer case, Microsoft’s attack flow also references CVE-2025-11371. The NVD entry for CVE-2025-11371 describes the flaw as an unauthenticated local file inclusion issue affecting Gladinet CentreStack and TrioFox in default installations, with exploitation observed in the wild.

Attackers used legitimate tools to avoid standing out

The attackers did not rely only on custom malware. They used tools that security teams and administrators may already recognize, which helped malicious activity blend into normal operations.

Storm-2603 deployed Velociraptor with SYSTEM-level privileges to collect data and map the environment. Cisco Talos previously reported that ransomware operators had started abusing Velociraptor, an open-source digital forensics and incident response tool, in ransomware incidents.

The attackers then added several remote access paths. They used Cloudflare tunnels to route traffic externally, Zoho Assist for remote management, and Visual Studio Code Remote SSH to create command-and-control access. The DART case report shows those tools were part of a layered persistence strategy rather than isolated activity.

Tool or technique	How it was used	Why defenders should care
Velociraptor	Used with SYSTEM privileges to collect data and map the environment	It can look like normal incident response or administrative activity
Cloudflare Tunnel	Used to move traffic through trusted external infrastructure	It can bypass simple perimeter-based monitoring
Zoho Assist	Used as a remote management channel	Remote support tools can give attackers stable hands-on access
VS Code Remote SSH	Used to establish SSH-based command-and-control access	Developer tools may not trigger the same alerts as malware
DLL sideloading	Used by the second actor to run malicious code through trusted software	It can hide malicious execution behind legitimate processes

CVE-2025-11371 added another route into sensitive systems

The CVE-2025-11371 detail matters because local file inclusion flaws can expose sensitive configuration files. In this case, requests for files such as web.config pointed to attempts to retrieve data that could support deeper compromise.

A Huntress analysis of CVE-2025-11371 said attackers could retrieve the Web.config file from affected Gladinet systems and use exposed machine key material to support further exploitation through ViewState deserialization.

The issue affected Gladinet CentreStack and TrioFox versions prior to or including affected release ranges listed by the National Vulnerability Database. NVD also notes that the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, which signals real-world exploitation risk.

Two attackers in one network made response harder

The second threat actor used a separate playbook. Microsoft reported malicious DLL sideloading, unsigned DLL activity, custom backdoors, and signs of credential access that did not match Storm-2603’s known behavior.

This overlap created a major investigation problem. Security teams could not treat every signal as part of one clean attack chain. Some activity belonged to the ransomware actor, while other artifacts came from a separate group moving through the same environment.

Microsoft said the full picture became clear only after correlating identity, endpoint, and cloud telemetry. That point is important for defenders because isolated alerts may show only fragments of a multi-actor intrusion.

How organizations can reduce the risk

Organizations running internet-facing SharePoint servers should apply supported updates, enable security protections, and rotate ASP.NET machine keys where Microsoft guidance recommends it. The Microsoft Security blog also recommends endpoint detection and strong monitoring for exposed SharePoint systems.

Companies using Gladinet CentreStack or TrioFox should review vendor updates and mitigations linked to CVE-2025-11371. The Huntress report said Gladinet released version 16.10.10408.56683 of CentreStack with a fix for the local file inclusion issue.

Security teams should also review how legitimate administrative tools appear in their environment. Talos research shows that Velociraptor abuse has already appeared in ransomware activity, so defenders should watch not only for malware, but also for unusual use of trusted tools.

• Audit remote access tools, including Zoho Assist, Cloudflare Tunnel, VS Code Remote SSH, AnyDesk, TeamViewer, and similar utilities.
• Alert on new local administrator and domain administrator account creation.
• Investigate unexpected Velociraptor agents, services, or command-and-control connections.
• Monitor for DLL sideloading, unsigned DLLs, and suspicious files in user profile or public folders.
• Centralize endpoint, identity, VPN, cloud, and server telemetry in a SIEM.
• Retain logs long enough to reconstruct attacker activity across multiple systems.
• Test incident response playbooks before a real ransomware event begins.

The case shows why modern ransomware investigations need broad visibility. Attackers increasingly use approved tools, exposed services, and valid credentials to stay hidden. When more than one group enters the same environment, defenders need telemetry that connects identity, endpoint, network, and cloud activity into one timeline.

FAQ