Threat actors are actively exploiting critical vulnerabilities in SolarWinds Web Help Desk (WHD) to deploy custom malware and establish persistent remote control.
Security researchers observed these attacks starting on February 7, 2026, targeting organizations that had not yet applied the latest security patches.
SolarWinds Web Help Desk RCE
The intrusion leverages recently disclosed Remote Code Execution (RCE) vulnerabilities, specifically CVE-2025-40551 and CVE-2025-26399.
Researchers at Huntress observed that the attack begins when the WHD service wrapper (wrapper.exe) spawns a Java process to execute malicious commands.
This process silently installs a Zoho ManageEngine RMM agent via a Windows Installer (MSI) payload hosted on the file-sharing service Catbox.
Once installed, the Zoho agent acts as a backdoor, configured for unattended access and linked to an attacker-controlled Proton Mail account.
This legitimate remote management tool allows adversaries to maintain hands-on access to the compromised environment without raising immediate alarms.
A defining feature of this campaign is the abuse of legitimate software for malicious purposes.
After establishing a foothold, the attackers deploy Velociraptor, an open-source digital forensics tool typically used by defenders.
In this context, an outdated version of Velociraptor is weaponized as a Command and Control (C2) framework, communicating with a malicious Cloudflare Worker domain to execute PowerShell commands on the victim’s machine.
To manage their victims, the attackers utilize a custom PowerShell script that harvests system information, such as OS version and domain membership.
In an ironic twist, this data is formatted and exfiltrated directly to an attacker-controlled Elastic Cloud instance.
The threat actors are essentially using a legitimate SIEM (Security Information and Event Management) platform to triage their compromised targets.
Advanced Persistence and Evasion
The campaign exhibits sophisticated tradecraft to ensure the attack survives defensive countermeasures:
- Defense Evasion: The attackers execute registry modifications to forcibly disable Windows Defender, turning off real-time monitoring and anti-spyware protections.
- C2 Failover: The malware includes a unique redundancy script. It periodically probes a specific dynamic DNS domain. If the server returns a particular HTTP 406 error code, the script automatically rewrites the Velociraptor configuration file to switch the command-and-control servers. This allows attackers to rotate infrastructure instantly if their primary domain is blocked.
Organizations using SolarWinds Web Help Desk should immediately verify the installed version at C:Program FilesWebHelpDeskversion.txt.
All versions before 12.8.7 HF1 are vulnerable. Administrators must immediately apply the official SolarWinds update to close this critical security gap.
Indicators of compromise (IOCs)
| Item | Description |
| https://files.catbox[.]moe/tmp9fc.msi SHA256:897eae49e6c32de3f4bfa229ad4f2d6e56bcf7a39c6c962d02e5c85cd538a189 | Zoho Meetings Installer |
| https://vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/v4.msi SHA256: 46831be6e577e3120084ee992168cca5af2047d4a08e3fd67ecd90396393b751 | Velociraptor Installer |
| https://auth.qgtxtebl.workers[.]dev/ | Velociraptor Server URL |
| https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi | Cloudfared Installer |
| https://vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/code.txt C:ProgramDataMicrosoftcode.exe SHA256:34b2a6c334813adb2cc70f5bd666c4afbdc4a6d8a58cc1c7a902b13bbd2381f4 | Portable version of VSCode |
| https://62c4cbb992274c32922cfbb49d623bd1.us-central1.gcp.cloud.es[.]io | Elastic Search URL |
| esmahyft@proton[.]me | Zoho Assist Account Email |
| v2-api.mooo[.]com | Velociraptor Failover Domain |
| client.config.yaml SHA256: bbd6e120bf55309141f75c85cc94455b1337a1a4333f6868b245b2edfa97ef44 | Velociraptor Config File |
| Task Path:C:WindowsSystem32TasksTPMProfiler Command:C:Users[user]tmpqemu-system-x86_64.exe -m 1G -smp 1 -hda vault.db -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::22022-:22 | Scheduled Task (persistence) |
| Task Path:C:WindowsSystem32TasksTPMProfiler Command:C:Users[user]localqemu-system-x86_64 -m 1G -smp 1 -hda bisrv.dll -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::32567-:22 | Scheduled Task (persistence) |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
