VERY IMPORTANT

Threat actors are actively exploiting a vulnerability in SolarWinds Web Help Desk, targeting organizations using versions prior to 12.8.7 HF1. The attack chain involves deploying Zoho ManageEngine RMM agents, Velociraptor for command and control, and Cloudflare tunnels for persistence. Attackers use encoded PowerShell commands, disable Windows Defender and Firewall, and implement a C2 failover mechanism. They also utilize Elastic Cloud for data exfiltration and QEMU for SSH backdoor persistence. The earliest known instance of this persistence mechanism was observed on January 16, 2026. Organizations are advised to update their SolarWinds Web Help Desk, restrict administrative interface access, reset credentials, and review hosts for unauthorized tools and suspicious activities.