**Attackers Abuse SolarWinds Web Help Desk to Install Zoho Agents and Velociraptor**
In a disturbing revelation, Huntress has confirmed active exploitation of vulnerabilities in the SolarWinds Web Help Desk service. Attackers are using this entry point to install Zoho agents for persistent remote access and deploying Velociraptor as a command-and-control tool. The attack showcases the tactics, techniques, and procedures (TTPs) employed by threat actors to gain control over compromised systems.
The investigation by Huntress began on February 7, 2026, when they encountered an active attack abusing SolarWinds Web Help Desk flaws. Attackers exploited unpatched versions of the service to run code remotely and quickly installed Zoho ManageEngine tools for persistent remote access and Cloudflare tunnels. The report highlights that this intrusion stems from recently disclosed vulnerabilities affecting SolarWinds WHD.
The most critical vulnerabilities, including CVE-2025-40551 and CVE-2025-26399, grant an adversary arbitrary code execution via untrusted deserialization. These vulnerabilities have been added to the CISA's Known Exploited Vulnerabilities database, indicating their severity and potential for widespread exploitation. The attack demonstrates real-world exploitation of these critical SolarWinds WHD vulnerabilities.
Huntress observed active post-exploitation after attackers compromised SolarWinds Web Help Desk. The attack started from the WHD service, which silently installed a Zoho ManageEngine RMM agent to gain persistent remote access. Interestingly, the Zoho Assist agent was configured for unattended access, registering the compromised host to a Zoho Assist account tied to a Proton Mail address.
Once the Zoho ManageEngine RMM agent was established, the threat actor wasted no time pivoting to hands-on-keyboard activity. Using the RMM agent process as their operational foothold, they executed Active Directory discovery commands to enumerate domain-joined machines via net group "domain computers" /do, a textbook reconnaissance technique aimed at identifying viable targets for lateral movement.
Using this foothold, the attacker performed domain reconnaissance and deployed Velociraptor as a command-and-control tool. Velociraptor was configured to communicate through Cloudflare Workers and included a failover C2 mechanism. The attacker quickly ran a PowerShell script to collect detailed system information, including OS details, hardware data, domain membership, and installed updates.
This data was formatted and sent to an attacker-controlled Elastic Cloud instance hosted on legitimate Google Cloud infrastructure, effectively giving the attacker a centralized dashboard to track and manage compromised systems using Kibana. To avoid detection, they disabled Windows Defender and the Windows Firewall. They then installed Cloudflared tunnels to maintain hidden remote access and used PowerShell to execute additional commands and manage the system.
To ensure long-term persistence, the attacker also created malicious scheduled tasks that abused QEMU to keep access even after reboots.
**Mitigations Provided by Huntress:**
* Ensure all SolarWinds Web Help Desk instances are up-to-date with the latest patches. * Implement robust security measures, including firewalls and intrusion detection systems. * Monitor system logs for suspicious activity. * Use anti-malware software to detect and remove potential threats.
**Indicators of Compromise (IoCs):**
* Zoho ManageEngine RMM agent installed on compromised hosts * Velociraptor deployed as a command-and-control tool * Cloudflare Workers used for communication * Failover C2 mechanism configured in Velociraptor * PowerShell script executed to collect system information * Elastic Cloud instance hosted on legitimate Google Cloud infrastructure * Cloudflared tunnels installed for hidden remote access * Malicious scheduled tasks created using QEMU
Stay informed about the latest security threats and trends by following me on Twitter: @securityaffairs and Facebook and Mastodon.