ACCORDING to Microsoft Defender Research Team, threat actors exploiting exposed SolarWinds Web Help Desk (WHD) instances deployed hidden QEMU virtual machines to move laterally across corporate networks, with activity observed in December 2025.
The campaign used a scheduled task to launch a QEMU virtual machine running under the SYSTEM account and configured port forwarding (hostfwd=tcp::22022-:22) to create a ghost SSH tunnel, enabling persistent, encrypted access while concealing tools inside a virtualised container. To harvest credentials, the attackers employed DLL sideloading by abusing wab[.]exe to load a malicious sspicli[.]dll, enabling memory access to LSASS and, in at least one instance, a DCSync attack to impersonate a domain controller.
The researchers noted that the exact initial foothold could not be reliably confirmed, with targets exposed to multiple flaws including CVE-2025-40551, CVE-2025-40536 and CVE-2025-26399. Organisations running SolarWinds Web Help Desk are urged to update to the latest versions and remove public internet access to administrative paths, and to search for unauthorized RMM artefacts and the identified QEMU persistence techniques.