{"id":213145,"date":"2026-02-09T15:28:00","date_gmt":"2026-02-09T20:28:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/09\/hackers-exploit-solarwinds-whd-flaws-to-deploy-dfir-tool-in-attacks\/"},"modified":"2026-02-13T14:10:12","modified_gmt":"2026-02-13T19:10:12","slug":"hackers-exploit-solarwinds-whd-flaws-to-deploy-dfir-tool-in-attacks","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/09\/hackers-exploit-solarwinds-whd-flaws-to-deploy-dfir-tool-in-attacks\/","title":{"rendered":"Hackers exploit SolarWinds WHD flaws to deploy DFIR tool in attacks"},"content":{"rendered":"<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/threat-actors-exploit-solarwinds-wdh-flaws-to-deploy-velociraptor\/\">Hackers exploit SolarWinds WHD flaws to deploy DFIR tool in attacks<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/threat-actors-exploit-solarwinds-wdh-flaws-to-deploy-velociraptor\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/threat-actors-exploit-solarwinds-wdh-flaws-to-deploy-velociraptor\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-09 15:28:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.bleepingcomputer.com\">www.bleepingcomputer.com<\/a><\/p>\n<p style=\"text-align:center\">\n<p>Hackers are exploiting SolarWinds Web Help Desk (WHD) vulnerabilities to deploy legitimate tools for malicious purposes, such as the Zoho ManageEngine remote monitoring and management tool.<\/p>\n<p>The attacker targeted at least three organizations and also leveraged\u00a0Cloudflare tunnels for persistence, and the\u00a0Velociraptor cyber incident response tool for command and control (C2).<\/p>\n<p>The malicious activity was spotted over the weekend by researchers at Huntress Security, who believe that it is part of a campaign that started on January\u00a016 and leveraged recently disclosed\u00a0SolarWinds WHD flaws.<\/p>\n<p> <img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/c\/w\/Secured-Images-970x250.png\" alt=\"Wiz\" style=\"margin-top: 0px;\"\/><\/p>\n<p>\u201cOn February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for means of command and control,\u201d Huntress says.<\/p>\n<p>According to the cybersecurity company, the threat actor exploited the\u00a0CVE-2025-40551 vulnerability, which CISA flagged last week as being used in attacks, and CVE-2025-26399.<\/p>\n<p>Both security problems received a critical severity rating and can be used to achieve remote code execution on the host machine without authentication.<\/p>\n<p>It\u2019s worth noting that Microsoft security researchers also &#8220;observed a multi\u2011stage intrusion where threat actors exploited internet\u2011exposed SolarWinds Web Help Desk (WHD) instances,&#8221; but they did not confirm exploitation of the two vulnerabilities.<\/p>\n<h3>Attack chain and tool deployment<\/h3>\n<p>After gaining initial access,\u00a0the attacker\u00a0installed the Zoho ManageEngine Assist agent via an MSI file fetched from the Catbox file-hosting platform. They configured the tool for unattended access and registered the compromised host to a Zoho Assist account tied to an anonymous Proton Mail address.<\/p>\n<p>The tool is used for direct hands-on keyboard activity and Active Directory (AD) reconnaissance. It was\u00a0also used to deploy Velociraptor, fetched as an MSI&#8230;<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/threat-actors-exploit-solarwinds-wdh-flaws-to-deploy-velociraptor\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers exploit SolarWinds WHD flaws to deploy DFIR tool in attacks https:\/\/www.bleepingcomputer.com\/news\/security\/threat-actors-exploit-solarwinds-wdh-flaws-to-deploy-velociraptor\/ Publish Date: 2026-02-09&#8230;<\/p>\n","protected":false},"author":1,"featured_media":213146,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2024\/07\/18\/solarwinds.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,34,27],"class_list":["post-213145","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/213145"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=213145"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/213145\/revisions"}],"predecessor-version":[{"id":213147,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/213145\/revisions\/213147"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/213146"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=213145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=213145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=213145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}