Microsoft has revealed that it observed a multi‑stage intrusion that involved the threat actors exploiting internet‑exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and move laterally across the organization’s network to other high-value assets.
That said, the Microsoft Defender Security Research Team said it’s not clear whether the activity weaponized recently disclosed flaws (CVE-2025-40551, CVSS score: 9.8, and CVE-2025-40536, CVSS score: 8.1), or a previously patched vulnerability (CVE-2025-26399, CVSS score: 9.8).
“Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,” the company said in a report published last week.
While CVE-2025-40536 is a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality, CVE-2025-40551 and CVE-2025-26399 both refer to untrusted data deserialization vulnerabilities that could lead to remote code execution.
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. Federal Civilian Executive Branch (FCEB) agencies were ordered to apply the fixes for the flaw by February 6, 2026.
In the attacks detected by Microsoft, successful exploitation of the exposed SolarWinds WHD instance allowed the attackers to achieve unauthenticated remote code execution and run arbitrary commands within the WHD application context.
“Upon successful exploitation, the compromised service of a WHD instance spawned PowerShell to leverage BITS [Background Intelligent Transfer Service] for payload download and execution,” researchers Sagar Patil, Hardik Suri, Eric Hopper, and Kajhon Soyini noted.
In the next stage, the threat actors downloaded legitimate components associated with Zoho ManageEngine, a legitimate remote monitoring and management (RMM) solution, to enable persistent remote control over the infected system. The attackers followed it up with a series of actions –
- Enumerated sensitive domain users and groups, including Domain Admins.
- Established persistence via reverse SSH and RDP access, with the attackers also attempting to create a scheduled task to launch a QEMU virtual machine under the SYSTEM account at system startup to cover up the tracks within a virtualized environment while exposing SSH access via port forwarding.
- Used DLL side-loading on some hosts by using “wab.exe,” a legitimate system executable associated with the Windows Address Book, to launch a rogue DLL (“sspicli.dll”) to dump the contents of LSASS memory and conduct credential theft.
In at least one case, Microsoft said the threat actors conducted a DCSync attack, where a Domain Controller (DC) is simulated to request password hashes and other sensitive information from an Active Directory (AD) database.
To counter the threat, users are advised to keep the WHD instances up-to-date, find and remove any unauthorized RMM tools, rotate service and admin accounts, and isolate compromised machines to limit the breach.
“This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored,” the Windows maker said.
“In this intrusion, attackers relied heavily on living-off-the-land techniques, legitimate administrative tools, and low-noise persistence mechanisms. These tradecraft choices reinforce the importance of defense in depth, timely patching of internet-facing services, and behavior-based detection across identity, endpoint, and network layers.”
Update
In a report published on February 8, 2026, cybersecurity company Huntress said it investigated a case of SolarWinds WHD exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as a legitimate forensics tool called Velociraptor for command-and-control (C2). The incident occurred on February 7, 2026.
The following sequence of post-exploitation actions describes how the attack unfolded –
- Launched “cmd.exe” to install a remote MSI payload associated with Zoho ManageEngine RMM and established remote access by configuring the Zoho Assist agent for unattended access and registering the compromised host to a Zoho Assist account tied to a Proton Mail address “esmahyft@proton[.]me.”
- Executed Active Directory discovery commands to enumerate domain-joined machines for reconnaissance.
- Leveraged the Zoho Assist remote session to deploy Velociraptor version 0.73.4, an outdated version with a known privilege escalation vulnerability (CVE-2025-6264).
- Used the Velociraptor agent to execute PowerShell commands to check for the presence of “code.exe,” a Visual Studio Code binary with the likely intent of establishing a remote tunnel.
- Installed Cloudflared to establish an additional tunnel-based channel for redundant access to the compromised host.
- Executed a PowerShell script that collects comprehensive system information and transmits it directly to an attacker-controlled Elastic Cloud instance.
- Disabled Windows Defender and Windows Firewall via Registry modifications.
- Executed a script that implements a live C2 failover mechanism for the Velociraptor agent to connect it to a different server (“v2-api.mooo[.]com”) if the original Cloudflare workers[.]dev domain has been detected. It achieves this by sending a request to the failover server and checking the HTTP response code. If the status is 406 Not Acceptable, the Velociraptor is reconfigured to talk to the new server.
- Created scheduled tasks that use QEMU to open an SSH backdoor as a persistence mechanism.
“The Velociraptor server URL, https://auth.qgtxtebl.workers[.]dev/, utilizes a Cloudflare Worker from the same Cloudflare account we have seen before across multiple intrusions involving ToolShell exploitation, and Warlock ransomware deployment, identified by the shared per-account identifier component of the subdomain: qgtxtebl,” Huntress researchers noted.
When asked if the latest set of attacks could also be the work of the Warlock ransomware crew, given the indicators of compromise, Jamie Levy, director of adversary tactics at Huntress, told The Hacker News in an email that “there are definitely some similarities that show that this recent campaign of attacks is from the same threat actor group.”
This includes the “usage of the same tools and tactics post compromise,” along with reused infrastructure observed in prior campaigns. “We also saw one customer come on after they had been compromised and ransomed, cementing our suspicions even further,” Levy added.
(The story was updated after publication to include a response from Huntress.)
