Hackers are exploiting SolarWinds Web Help Desk (WHD) vulnerabilities to deploy legitimate tools for malicious purposes, such as the Zoho ManageEngine remote monitoring and management tool.
The attacker targeted at least three organizations and also leveraged Cloudflare tunnels for persistence, and the Velociraptor cyber incident response tool for command and control (C2).
The malicious activity was spotted over the weekend by researchers at Huntress Security, who believe that it is part of a campaign that started on January 16 and leveraged recently disclosed SolarWinds WHD flaws.
“On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for means of command and control,” Huntress says.
According to the cybersecurity company, the threat actor exploited the CVE-2025-40551 vulnerability, which CISA flagged last week as being used in attacks, and CVE-2025-26399.
Both security problems received a critical severity rating and can be used to achieve remote code execution on the host machine without authentication.
It’s worth noting that Microsoft security researchers also “observed a multi‑stage intrusion where threat actors exploited internet‑exposed SolarWinds Web Help Desk (WHD) instances,” but they did not confirm exploitation of the two vulnerabilities.
Attack chain and tool deployment
After gaining initial access, the attacker installed the Zoho ManageEngine Assist agent via an MSI file fetched from the Catbox file-hosting platform. They configured the tool for unattended access and registered the compromised host to a Zoho Assist account tied to an anonymous Proton Mail address.
The tool is used for direct hands-on keyboard activity and Active Directory (AD) reconnaissance. It was also used to deploy Velociraptor, fetched as an MSI file from a Supabase bucket.
Velociraptor is a legitimate digital forensics and incident response (DFIR) tool that Cisco Talos recently warned was being abused in ransomware attacks.
In the attacks observed by Huntress, the DFIR platform is used as a command-and-control (C2) framework that communicates with attackers via Cloudflare Workers.
The researchers note that the attacker used an outdated version of the Velociraptor, 0.73.4, which is vulnerable to a privilege escalation flaw that allows increasing permissions on the host.
The threat actor also installed Cloudflared from Cloudflare’s official GitHub repository, using it as a secondary tunnel-based access channel for C2 redundancy.
In some cases, persistence was also achieved via a scheduled task (TPMProfiler) that opens an SSH backdoor via QEMU.
The attackers also disabled Windows Defender and Firewall via registry modifications to make sure that fetching additional payloads would not be blocked.
“Approximately a second after disabling Defender, the threat actor downloaded a fresh copy of the VS Code binary,” the researchers say.
Security updates and mitigation
System administrators are recommended to upgrade SolarWinds Web Help Desk to version 2026.1 or later, remove public internet access to SolarWinds WHD admin interfaces, and reset all credentials associated with the product.
Huntress also shared Sigma rules and indicators of compromise to help detect Zoho Assist, Velociraptor, Cloudflared, and VS Code tunnel activity, silent MSI installations, and encoded PowerShell execution.
Neither Microsoft nor Huntress attributed the observed attacks to any specific threat groups, and nothing about the targets was disclosed beyond Microsoft characterizing the breached environments as “high-value assets.”
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
