Full Report
Hackers are now exploiting SolarWinds Web Help Desk (WHD) vulnerabilities to gain code execution rights on exposed systems and deploy legitimate tools, including the Velociraptor forensics tools, for persistence and remote control. [...]
Analysis Summary
# Tool/Technique: Velociraptor
## Overview
Velociraptor is a legitimate, open-source digital forensics and incident response (DFIR) tool developed by Cisco Talos. In this specific attack, threat actors abused this legitimate tool to establish command and control (C2) and maintain persistence post-exploitation on compromised SolarWinds Web Help Desk servers.
## Technical Details
- Type: Tool (Abused Legitimate DFIR Tool)
- Platform: Windows (Inferred from context: MSI installation, Windows Defender/Firewall manipulation, scheduled tasks)
- Capabilities: Incident response data collection, endpoint visibility, and remote command execution (when used maliciously as C2).
- First Seen: N/A (Legitimate tool, abuse timeline inferred from campaign start date of January 16, 2026).
## MITRE ATT&CK Mapping
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used for C2 communication via Cloudflare Workers)
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder (Implied persistence mechanisms beyond Velociraptor itself, but Velociraptor serves the post-exploitation function)
- T1021 - Remote Services (Used for C2)
## Functionality
### Core Capabilities (As abused)
- Establishing Command and Control (C2) over the compromised host.
- Executing attacker-defined instructions remotely.
- Persistence mechanism deployment (used alongside other tools).
### Advanced Features
- The observed version (0.73.4) was notably outdated and vulnerable to a privilege escalation flaw, which the actors likely leveraged to increase their permissions on the host system.
- Communication utilized Cloudflare Workers for C2, suggesting an application-layer protocol abuse method.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: Velociraptor MSI file (downloaded from Supabase bucket).
- Registry Keys: [Not explicitly listed for Velociraptor, but modifications were made to disable Windows Defender/Firewall.]
- Network Indicators: C2 communications channeled via Cloudflare Workers (defanged: *cf-workers[.]com if endpoints were visible*).
- Behavioral Indicators: Fetching and executing an MSI package purported to be Velociraptor; communication patterns indicative of DFIR tool beaconing.
## Associated Threat Actors
- Not explicitly attributed to a specific threat group ("Neither Microsoft nor Huntress attributed the observed attacks to any specific threat groups").
## Detection Methods
- Signature-based detection: Signatures for Velociraptor binaries (if specific versions/builds are used).
- Behavioral detection: Detection of silent MSI installations; detection of network activity beaconing towards Cloudflare Workers originating from unusual processes; detection of known outdated Velociraptor versions.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- Upgrade SolarWinds Web Help Desk to version 2026.1 or later immediately.
- Remove public internet access to all SolarWinds WHD admin interfaces.
- Reset all credentials associated with the WHD product.
- Monitor for the deployment of legitimate tools like Velociraptor, Zoho Assist, or Cloudflared via unusual installation paths (e.g., silent MSI installs).
## Related Tools/Techniques
- **Zoho ManageEngine Assist Agent:** Used for initial hands-on keyboard activity and Active Directory reconnaissance.
- **Cloudflared/Cloudflare Tunnels:** Used for establishing a secondary, persistent C2 channel and data exfiltration.
- **VS Code Binary:** Downloaded post-exploitation, potentially for tunnel creation or other remote access.
- **CVE-2025-40551 & CVE-2025-26399:** The initial access vulnerabilities used in SolarWinds WHD.