Virtual Invasion: SolarWinds WHD Exploited to Host Hidden QEMU VMs

In a striking display of “living off the land” gone wrong, threat actors are turning legitimate administrative tools into stealthy backdoors. The Microsoft Defender Research Team has uncovered a sophisticated multi-stage intrusion campaign where attackers exploited internet-exposed SolarWinds Web Help Desk (WHD) instances to deploy hidden virtual machines and move laterally across corporate networks.

The attacks, observed in December 2025, highlight a critical reality: a single unpatched service can become a highway to total domain compromise.

Perhaps the most ingenious—and alarming—tactic observed in this campaign was the use of virtualization to hide malicious activity. Once the attackers gained a foothold on the compromised server, they didn’t just install malware; they installed an entire computer.

The report details how the attackers created a scheduled task to launch a QEMU virtual machine running under the high-privilege SYSTEM account.

“Microsoft Defender also observed and raised alerts flagging attacker behavior on creating a scheduled task to launch a QEMU virtual machine under the SYSTEM account at startup,” the researchers explain.

By configuring the virtual machine with port forwarding (hostfwd=tcp::22022-:22), the attackers effectively created a “ghost” SSH tunnel. This allowed them to maintain persistent, encrypted access to the network while hiding their tools and traffic inside a virtualized container that security tools might overlook.

The sophistication didn’t end with virtualization. To steal credentials, the attackers employed a classic DLL sideloading technique, abusing the Windows Address Book (wab.exe) to load a malicious library.

“On some hosts, threat actors used DLL sideloading by abusing wab.exe to load a malicious sspicli.dll,” the report states.

This method allowed them to access the memory of the Local Security Authority Subsystem Service (LSASS) without triggering the alarms that usually ring when hackers try to dump passwords directly. In at least one instance, this led to a “DCSync” attack—effectively allowing the hackers to impersonate a domain controller and replicate sensitive password data.

While the tradecraft is clear, the exact entry point remains a blur of unpatched possibilities. The attacks occurred in December 2025, a period rife with vulnerabilities for the platform.

The researchers note that “we cannot reliably confirm the exact CVE used to gain an initial foothold” because the target machines were often vulnerable to multiple flaws at once, including the recently disclosed CVE-2025-40551 and CVE-2025-40536, as well as older issues like CVE-2025-26399.

Organizations running SolarWinds Web Help Desk should immediately update to the latest versions and remove public internet access to administrative paths. Additionally, security teams are advised to hunt for unauthorized Remote Monitoring and Management (RMM) artifacts and look for the specific QEMU persistence mechanisms identified in the report.

“This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored,” Microsoft concludes.

Related Posts:

• Cutting the Cord: QEMU 11.0 to Expunge 32-Bit Host Support in Cloud Variant
• PoC Public & Exploited: Critical SolarWinds Help Desk Flaw Exploited in the Wild
• iOS on Nintendo Switch: Technical Feat Achieved, But Performance is a “Kernel Crash” Nightmare
• Critical SolarWinds Flaw Exposes 827 Instances: PoC Exploit Unveiled for CVE-2024-28987
• SolarWinds Web Help Desk Hit by Critical Vulnerability (CVE-2024-28987)