Living Off the Land: How Threat Actors Weaponize Legitimate Tools for Stealthy Attacks
In the ever-evolving landscape of cybersecurity, one of the most challenging threats to detect is the one hiding in plain sight. Security teams are trained to spot malicious code and unfamiliar software, but what happens when attackers use the very tools that system administrators and security professionals rely on? This tactic, known as “Living off the Land,” involves co-opting legitimate software for malicious purposes, allowing threat actors to operate under the radar and evade traditional security measures.
Two powerful, open-source tools—Velociraptor and Nezha—have recently emerged as prime examples of this dangerous trend. Originally designed for beneficial purposes, they are now being actively exploited in the wild to compromise systems, steal data, and maintain persistent access to corporate networks.
Velociraptor: From Digital Forensics to Malicious Espionage
Velociraptor is a highly respected and powerful tool used for Digital Forensics and Incident Response (DFIR). It allows security analysts to collect vast amounts of information from endpoints (like workstations and servers) across a network. Its strength lies in its flexibility, enabling investigators to hunt for signs of a breach, analyze system artifacts, and respond to incidents in real time.
However, the same features that make Velociraptor an asset for defenders make it a formidable weapon for attackers.
How Attackers Abuse Velociraptor:
- Covert Data Exfiltration: Instead of using custom malware to steal data, an attacker can deploy Velociraptor to gather sensitive files, credentials, and confidential documents under the guise of a legitimate forensic investigation.
- Persistent Backdoor Access: Once installed on a system, the Velociraptor agent maintains a connection to a central server. For an attacker, this connection serves as a stealthy and persistent backdoor, allowing them to issue commands and control the compromised machine remotely.
- Extensive Network Reconnaissance: Threat actors use Velociraptor’s powerful query language to map out a network, identify high-value targets, and understand system configurations without triggering alarms.
- Executing Malicious Commands: The tool can be used to run scripts and execute commands on an endpoint. This allows attackers to deploy ransomware, disable security software, or move laterally to other systems on the network.
Because Velociraptor is a known and often trusted tool, its activity can easily be mistaken for legitimate administrative work, allowing an attacker to dwell in a network for an extended period without being detected.
Nezha: A Monitoring Tool Turned Command and Control Center
Nezha is a popular open-source server monitoring tool. System administrators use it to get a clear, centralized dashboard showing the health, status, and performance of their servers. Its lightweight agent is installed on each machine and reports back key metrics, providing valuable insights for IT operations.
Unfortunately, threat actors have recognized that Nezha’s architecture is perfect for creating a covert Command and Control (C2) network. A C2 server is the hub of a malicious operation, used by attackers to send commands to compromised computers and receive stolen data.
How Attackers Abuse Nezha:
- Stealthy C2 Communication: The Nezha agent is designed to communicate regularly with a central server. Attackers set up their own malicious Nezha server and use this legitimate communication channel to send commands and exfiltrate data, bypassing firewalls and network security tools that might block unfamiliar traffic.
- Evading Detection: Since Nezha’s traffic looks like normal monitoring activity, it is far less likely to be flagged by security solutions like Endpoint Detection and Response (EDR) systems or antivirus software.
- Maintaining Persistence: By installing the Nezha agent, attackers ensure they can maintain long-term access to a compromised system, even if the machine is rebooted or initial entry points are closed.
The abuse of Nezha highlights a critical challenge: attackers no longer need to build complex C2 frameworks from scratch. They can simply repurpose existing, trusted software for their own nefarious goals.
How to Defend Against Dual-Use Tool Attacks
Protecting your organization from the malicious use of legitimate tools requires a shift in security strategy. It’s no longer enough to just block known malware; you must also monitor for anomalous behavior from trusted applications.
Here are actionable security measures to help you stay protected:
- Implement Application Control: Use technologies like AppLocker or other allow-listing solutions to strictly control which applications are permitted to run in your environment. If a tool like Velociraptor or Nezha is not part of your standard toolkit, it should be blocked by default.
- Focus on Behavioral Monitoring: Instead of just looking for “bad” files, monitor the behavior of all processes. A monitoring tool should not be accessing sensitive user documents or attempting to execute PowerShell scripts. Use an EDR solution capable of detecting anomalous activity, such as a process creating unexpected network connections or modifying critical system files.
- Enforce the Principle of Least Privilege: Ensure that user and service accounts have only the minimum permissions necessary to perform their roles. This can limit an attacker’s ability to deploy tools like Velociraptor or Nezha, even if they compromise an account.
- Enhance Logging and Auditing: Maintain comprehensive logs of command-line activity, network connections, and process execution across all endpoints. Regularly auditing these logs can help you proactively hunt for suspicious patterns that might indicate the abuse of a legitimate tool.
The line between a useful administrative tool and a malicious implant is becoming increasingly blurred. Threat actors will continue to leverage legitimate software to achieve their objectives. By understanding their tactics and adopting a security posture focused on behavior rather than signatures, organizations can better position themselves to detect and neutralize these stealthy threats before they cause significant damage.
Source: https://www.helpnetsecurity.com/2025/10/09/velociraptor-nezha-attackers-misuse/
