ACCORDING to Huntress, on February 7, 2026, attackers exploited unpatched SolarWinds Web Help Desk flaws to run code remotely and quickly installed Zoho ManageEngine tools for persistent remote access, with Velociraptor used for control.
The intrusion started from the WHD service, which silently installed a Zoho ManageEngine RMM agent to gain persistence, and the Zoho Assist agent was configured for unattended access, registering the compromised host to a Zoho Assist account tied to a Proton Mail address esmahyft@proton[.]me. The threat actor used the RMM process to perform Active Directory discovery and then deployed Velociraptor as a command-and-control tool, with communication routed through Cloudflare Workers and a failover C2 mechanism.
They ran a PowerShell script to collect detailed system information and sent the data to an attacker-controlled Elastic Cloud instance hosted on Google Cloud, creating a centralised dashboard to track compromised systems via Kibana. Mitigations include updating SolarWinds Web Help Desk to version 2026.1 or later to address CVE-2025-26399, CVE-2025-40536, and CVE-2025-40551, restricting WHD admin access behind a VPN or firewall, and resetting passwords for service and administrator accounts.