Hackers exploit SolarWinds WHD flaws to deploy DFIR tool in attacks

Hackers are exploiting critical vulnerabilities in SolarWinds Web Help Desk (WHD) to deploy legitimate tools for malicious purposes, according to recent research from Huntress Security. The attackers have targeted at least three organizations, leveraging recently disclosed flaws to establish persistent access and command-and-control infrastructure.

Exploitation of Critical Vulnerabilities

The campaign, which Huntress believes began on January 16, 2026, exploits two critical vulnerabilities in SolarWinds WHD:

• CVE-2025-40551: A remote code execution vulnerability that CISA flagged as being actively exploited
• CVE-2025-26399: Another critical flaw allowing unauthenticated remote code execution

Both vulnerabilities received critical severity ratings and can be used to achieve remote code execution on host machines without requiring authentication.

While Microsoft security researchers also observed "multi-stage intrusion where threat actors exploited internet-exposed SolarWinds Web Help Desk instances," they did not confirm exploitation of these specific vulnerabilities.

Attack Chain and Tool Deployment

After gaining initial access through the SolarWinds WHD vulnerabilities, the attackers deployed a sophisticated toolkit:

Zoho ManageEngine Deployment

The threat actor installed the Zoho ManageEngine Assist agent via an MSI file fetched from the Catbox file-hosting platform. They configured the tool for unattended access and registered the compromised host to a Zoho Assist account tied to an anonymous Proton Mail address.

This legitimate remote monitoring and management tool was used for:

• Direct hands-on keyboard activity
• Active Directory reconnaissance
• Initial persistence establishment

Velociraptor for Command and Control

Velociraptor, a legitimate digital forensics and incident response (DFIR) tool, was deployed as an MSI file from a Supabase bucket. Cisco Talos recently warned that this DFIR platform was being abused in ransomware attacks.

In this campaign, Velociraptor serves as a command-and-control framework that communicates with attackers via Cloudflare Workers. Notably, the attackers used an outdated version (0.73.4) that is vulnerable to a privilege escalation flaw, allowing them to increase permissions on the host.

Cloudflare Tunnel for Persistence

The attackers installed Cloudflared from Cloudflare's official GitHub repository, using it as a secondary tunnel-based access channel for command-and-control redundancy.

Additional Persistence Mechanisms

In some cases, persistence was achieved through a scheduled task (TPMProfiler) that opens an SSH backdoor via QEMU. The attackers also disabled Windows Defender and Firewall via registry modifications to ensure that fetching additional payloads would not be blocked.

"Approximately a second after disabling Defender, the threat actor downloaded a fresh copy of the VS Code binary," the researchers noted, indicating the speed and precision of the attack sequence.

Detection and Mitigation

System administrators are strongly advised to take the following actions:

1. Upgrade SolarWinds Web Help Desk to version 2026.1 or later
2. Remove public internet access to SolarWinds WHD admin interfaces
3. Reset all credentials associated with the SolarWinds WHD product

Huntress has shared Sigma rules and indicators of compromise to help detect:

• Zoho Assist, Velociraptor, Cloudflared, and VS Code tunnel activity
• Silent MSI installations
• Encoded PowerShell execution

Neither Microsoft nor Huntress attributed the observed attacks to any specific threat groups, and neither disclosed details about the targets beyond Microsoft characterizing the breached environments as "high-value assets."

The exploitation of legitimate DFIR tools like Velociraptor for malicious purposes represents an evolving threat pattern, where attackers leverage trusted security tools to blend in with normal network activity while maintaining persistent access to compromised systems.