Hackers are exploiting SolarWinds Web Help Desk (WHD) vulnerabilities to deploy legitimate tools for malicious purposes, such as the Zoho ManageEngine remote monitoring and management tool.
The attacker targeted at least three organizations and also leveraged Cloudflare tunnels for persistence, and the Velociraptor cyber incident response tool for command and control (C2).
The malicious activity was spotted over the weekend by researchers at Huntress Security, who believe that it is part of a campaign that started on January 16 and leveraged recently disclosed SolarWinds WHD flaws.
“On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for means of command and control,” Huntress says.
According to the cybersecurity company, the threat actor exploited the CVE-2025-40551 vulnerability, which CISA flagged last week as being used in attacks, and CVE-2025-26399.
Both security problems received a critical severity rating and can be used to achieve remote code execution on the host machine without authentication.
It’s worth noting that Microsoft security researchers also "observed a multi‑stage intrusion where threat actors exploited internet‑exposed SolarWinds Web Help Desk (WHD) instances," but they did not confirm exploitation of the two vulnerabilities.
Attack chain and tool deployment
After gaining initial access, the attacker installed the Zoho ManageEngine Assist agent via an MSI file fetched from the Catbox file-hosting platform. They configured the tool for unattended access and registered the compromised host to a Zoho Assist account tied to an anonymous Proton Mail address.
The tool is used for direct hands-on keyboard activity and Active Directory (AD) reconnaissance. It was also used to deploy Velociraptor, fetched as an MSI file from a Supabase bucket.
... continue reading