Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Attackers abuse SolarWinds Web Help Desk to install Zoho agents and Velociraptor

Huntress confirmed active SolarWinds Web Help Desk exploits, where attackers installed Zoho tools for persistence, and used Velociraptor for control. On February 7, 2026, Huntress investigated an active attack abusing SolarWinds Web Help Desk flaws. Attackers exploited unpatched versions to run code remotely, then quickly installed Zoho ManageEngine tools for persistent remote access and Cloudflare […]

SolarWinds SolarWinds Web Help Desk

Huntress confirmed active SolarWinds Web Help Desk exploits, where attackers installed Zoho tools for persistence, and used Velociraptor for control.

On February 7, 2026, Huntress investigated an active attack abusing SolarWinds Web Help Desk flaws. Attackers exploited unpatched versions to run code remotely, then quickly installed Zoho ManageEngine tools for persistent remote access and Cloudflare tunnels.

“This intrusion stemmed from the many recently disclosed vulnerabilities affecting SolarWinds WHD. The most critical vulnerabilities grant an adversary arbitrary code execution via untrusted deserialization — CVE-2025-40551 was recently added to CISA’s Known Exploited Vulnerabilities database, and CVE-2025-26399 was just recently discussed by Microsoft and other vendors who have also observed active in-the-wild exploitation.” reads the report published by Huntress. “They used Velociraptor to control systems and ran domain discovery commands to map networks. The activity confirms real-world exploitation of critical SolarWinds WHD vulnerabilities now tracked by CISA.”

Huntress observed active post-exploitation after attackers compromised SolarWinds Web Help Desk. The attack started from the WHD service, which silently installed a Zoho ManageEngine RMM agent to gain persistent remote access.

“Interestingly, the Zoho Assist agent was configured for unattended access, registering the compromised host to a Zoho Assist account tied to a Proton Mail address, esmahyft@proton[.]me.” continues the report. “Once the Zoho ManageEngine RMM agent was established, the threat actor wasted no time pivoting to hands-on-keyboard activity. Using the RMM agent process (TOOLSIQ.EXE) as their operational foothold, they executed Active Directory discovery commands to enumerate domain-joined machines via net group "domain computers" /do, a textbook reconnaissance technique aimed at identifying viable targets for lateral movement.”

Using this foothold, the attacker performed domain reconnaissance, then deployed Velociraptor as a command-and-control tool. Velociraptor was configured to communicate through Cloudflare Workers and included a failover C2 mechanism.

The attacker quickly ran a PowerShell script to collect detailed system information, including OS details, hardware data, domain membership, and installed updates. This data was formatted and sent to an attacker-controlled Elastic Cloud instance hosted on legitimate Google Cloud infrastructure, effectively giving the attacker a centralized dashboard to track and manage compromised systems using Kibana.

To avoid detection, they disabled Windows Defender and the Windows Firewall. They then installed Cloudflared tunnels to maintain hidden remote access and used PowerShell to execute additional commands and manage the system. To ensure long-term persistence, the attacker also created malicious scheduled tasks that abused QEMU to keep access even after reboots.

Below are mitigations provided by the Huntress, along with Indicators of Compromise (IoCs):

  • Update SolarWinds Web Help Desk to version 2026.1 or later, which addresses CVE-2025-26399CVE-2025-40536, and CVE-2025-40551. All prior versions should be considered vulnerable. See the SolarWinds upgrade guide for instructions.
  • WHD administrative interfaces should not be publicly accessible. Place WHD behind a VPN or firewall and remove direct internet access to admin paths.
  • Reset passwords for all service accounts, administrator accounts, and any credentials accessible through or stored within the WHD application.
  • Review WHD hosts for unauthorized remote access tools (Zoho Assist, Velociraptor, Cloudflared, VS Code tunnels), unexpected services, encoded PowerShell execution, and silent MSI installations spawned by the WHD service process (java.exe / wrapper.exe).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds Web Help Desk)