Attackers Exploit SolarWinds Web Help Desk to Install Zoho Agents and Velociraptor

On February 7, 2026, Huntress confirmed active exploitations of SolarWinds Web Help Desk, where attackers installed Zoho tools to maintain persistence and used Velociraptor for control. The attackers exploited unpatched versions of SolarWinds Web Help Desk to execute remote code, then quickly installed Zoho ManageEngine tools for persistent remote access and Cloudflare.