To implement effective cybersecurity programs and keep the security team deeply integrated into all business processes, the CISO needs to regularly demonstrate the value of this work to senior management. This requires speaking the language of business, but a dangerous trap awaits those who try.  Security professionals and executives often use the same words, but for entirely different things. Sometimes, a number of similar terms are used interchangeably. As a result, top management may not understand which threats the security team is trying to mitigate, what the company’s actual level of cyber-resilience is, or where budget and resources are being allocated. Therefore, before presenting sleek dashboards or calculating the ROI of security programs, it’s worth subtly clarifying these important terminological nuances.

By clarifying these terms and building a shared vocabulary, the CISO and the Board can significantly improve communication and, ultimately, strengthen the organization’s overall security posture.

Why cybersecurity vocabulary matters for management

Varying interpretations of terms are more than just an inconvenience; the consequences can be quite substantial. A lack of clarity regarding details can lead to:

• Misallocated investments. Management might approve the purchase of a zero trust solution without realizing it’s only one piece of a long-term, comprehensive program with a significantly larger budget. The money is spent, yet the results management expected are never achieved. Similarly, with regard to cloud migration, management may assume that moving to the cloud automatically transfers all security responsibility to the provider, and subsequently reject the cloud security budget.
• Blind acceptance of risk. Business unit leaders may accept cybersecurity risks without having a full understanding of the potential impact.
• Lack of governance. Without understanding the terminology, management can’t ask the right — tough — questions, or assign areas of responsibility effectively. When an incident occurs, it often turns out that business owners believed security was entirely within the CISO’s domain, while the CISO lacked the authority to influence business processes.

Cyber-risk vs. IT risk

Many executives believe that cybersecurity is a purely technical issue they can hand off to IT. Even though the importance of cybersecurity to business is indisputable, and cyber-incidents have long ranked as a top business risk, surveys show that many organizations still fail to engage non-technical leaders in cybersecurity discussions.

Information security risks are often lumped in with IT concerns like uptime and service availability.  In reality, cyberrisk is a strategic business risk linked to business continuity, financial loss, and reputational damage.

IT risks are generally operational in nature, affecting efficiency, reliability, and cost management. Responding to IT incidents is often handled entirely by IT staff. Major cybersecurity incidents, however, have a much broader scope; they require the engagement of nearly every department, and have a long-term impact on the organization in many ways — including as regards reputation, regulatory compliance, customer relationships, and overall financial health.

Compliance vs. security

Cybersecurity is integrated into regulatory requirements at every level — from international directives like NIS2 and GDPR, to cross-border industry guidelines like PCI DSS, plus specific departmental mandates. As a result, company management often views cybersecurity measures as compliance checkboxes, believing that once regulatory requirements are met, cybersecurity issues can be considered resolved. This mindset can stem from a conscious effort to minimize security spending (“we’re not doing more than what we’re required to”) or from a sincere misunderstanding (“we’ve passed an ISO 27001 audit, so we’re unhackable”).

In reality, compliance is meeting the minimum requirements of auditors and government regulators at a specific point in time. Unfortunately, the history of large-scale cyberattacks on major organizations proves that “minimum” requirements have that name for a reason. For real protection against modern cyberthreats, companies must continuously improve their security strategies and measures according to the specific needs of the given industry.

Threat, vulnerability, and risk

These three terms are often used synonymously, which leads to erroneous conclusions made by management: “There’s a critical vulnerability on our server? That means we have a critical risk!” To avoid panic or, conversely, inaction, it’s vital to use these terms precisely and understand how they relate to one another.

A vulnerability is a weakness — an “open door”. This could be a flaw in software code, a misconfigured server, an unlocked server room, or an employee who opens every email attachment.

A threat is a potential cause of an incident. This could be a malicious actor, malware, or even a natural disaster. A threat is what might “walk through that open door”.

Risk is the potential loss. It’s the cumulative assessment of the likelihood of a successful attack, and what the organization stands to lose as a result (the impact).

The connections among these elements are best explained with a simple formula:

Risk = (Threat × Vulnerability) × Impact

This can be illustrated as follows. Imagine a critical vulnerability with a maximum severity rating is discovered in an outdated system. However, this system is disconnected from all networks, sits in an isolated room, and is handled by only three vetted employees. The probability of an attacker reaching it is near zero. Meanwhile, the lack of two-factor authentication in the accounting systems creates a real, high risk, resulting from both a high probability of attack and significant potential damage.

Incident response, disaster recovery, and business continuity

Management’s perception of security crises is often oversimplified: “If we get hit by ransomware, we’ll just activate the IT Disaster Recovery plan and restore from backups”. However, conflating these concepts — and processes — is extremely dangerous.

Incident Response (IR) is the responsibility of the security team or specialist contractors. Their job is to localize the threat, kick the attacker out of the network, and stop the attack from spreading.

Disaster Recovery (DR) is an IT engineering task. It’s the process of restoring servers and data from backups after the incident response has been completed.

Business Continuity (BC) is a strategic task for top management. It’s the plan for how the company continues to serve customers, ship goods, pay compensation, and talk to the press while its primary systems are still offline.

If management focuses solely on recovery, the company will lack an action plan for the most critical period of downtime.

Security awareness vs. security culture

Leaders at all levels sometimes assume that simply conducting security training guarantees results: “The employees have passed their annual test, so now they won’t click on a phishing link”. Unfortunately, relying solely on training organized by HR and IT won’t cut it. Effectiveness requires changing the team’s behavior, which is impossible without the engagement of business management.

Awareness is knowledge. An employee knows what phishing is and understands the importance of complex passwords.

Security culture refers to behavioral patterns. It’s what an employee does in a stressful situation or when no one’s watching. Culture isn’t shaped by tests, but by an environment where it’s safe to report mistakes and where it’s customary to identify and prevent potentially dangerous situations. If an employee fears punishment, they’ll hide an incident. In a healthy culture, they’ll report a suspicious email to the SOC, or nudge a colleague who forgets to lock their computer, thereby becoming an active link in the defense chain.

Detection vs. prevention

Business leaders often think in outdated “fortress wall” categories: “We bought expensive protection systems, so there should be no way to hack us. If an incident occurs, it means the CISO failed”. In practice, preventing 100% of attacks is technically impossible and economically prohibitive. Modern strategy is built on a balance between cybersecurity and business effectiveness. In a balanced system, components focused on threat detection and prevention work in tandem.

Prevention deflects automated, mass attacks.

Detection and Response help identify and neutralize more professional, targeted attacks that manage to bypass prevention tools or exploit vulnerabilities.

The key objective of the cybersecurity team today isn’t to guarantee total invulnerability, but to detect an attack at an early stage and minimize the impact on the business. To measure success here, the industry typically uses metrics like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).

Zero-trust philosophy vs. zero-trust products

The zero trust concept — which implies “never trust, always verify” for all components of IT infrastructure — has long been recognized as relevant and effective in corporate security. It requires constant verification of identity (user accounts, devices, and services) and context for every access request based on the assumption that the network has already been compromised.

However, the presence of “zero trust” in the name of a security solution doesn’t mean an organization can adopt this approach overnight simply by purchasing the product.
Zero trust isn’t a product you can “turn on”; it’s an architectural strategy and a long-term transformation journey. Implementing zero trust requires restructuring access processes and refining IT systems to ensure continuous verification of identity and devices. Buying software without changing processes won’t have a significant effect.

Security of the cloud vs. security in the cloud

When migrating IT services to cloud infrastructure like AWS or Azure, there’s often an illusion of a total risk transfer: “We pay the provider, so security is now their headache”. This is a dangerous misconception, and a misinterpretation of what is known as the Shared Responsibility Model.

Security of the cloud is the provider’s responsibility. It protects the data centers, the physical servers, and the cabling.

Security in the cloud is the client’s responsibility.

Discussions regarding budgets for cloud projects and their security aspects should be accompanied by real life examples. The provider protects the database from unauthorized access according to the settings configured by the client’s employees. If employees leave a database open or use weak passwords, and if two-factor authentication isn’t enabled for the administrator panel, the provider can’t prevent unauthorized individuals from downloading the information — an all-too-common news story. Therefore, the budget for these projects must account for cloud security tools and configuration management on the company side.

Vulnerability scanning vs. penetration testing

Leaders often confuse automated checks, which fall under cyber-hygiene, with assessing IT assets for resilience against sophisticated attacks: “Why pay hackers for a pentest when we run the scanner every week?”

Vulnerability scanning checks a specific list of IT assets for known vulnerabilities. To put it simply, it’s like a security guard doing the rounds to check that the office windows and doors are locked.

Penetration testing (pentesting) is a manual assessment to evaluate the possibility of a real-world breach by exploiting vulnerabilities. To continue the analogy, it’s like hiring an expert burglar to actually try and break into the office.

One doesn’t replace the other; to understand its true security posture, a business needs both tools.

Managed assets vs. attack surface

A common and dangerous misconception concerns the scope of protection and the overall visibility held by IT and Security. A common refrain at meetings is, “We have an accurate inventory list of our hardware. We’re protecting everything we own”.

Managed IT assets are things the IT department has purchased, configured, and can see in their reports.

An attack surface is anything accessible to attackers: any potential entry point into the company. This includes Shadow IT (cloud services, personal messaging apps, test servers…), which is basically anything employees launch themselves in circumvention of official protocols to speed up or simplify their work. Often, it’s these “invisible” assets that become the entry point for an attack, as the security team can’t protect what it doesn’t know exists.

A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims’ machines into residential proxy nodes—and it has been hiding in plain sight for some time.

“I’m so sick to my stomach”

A PC builder recently turned to Reddit’s r/pcmasterrace community in a panic after realizing they had downloaded 7‑Zip from the wrong website. Following a YouTube tutorial for a new build, they were instructed to download 7‑Zip from 7zip[.]com, unaware that the legitimate project is hosted exclusively at 7-zip.org.

In their Reddit post, the user described installing the file first on a laptop and later transferring it via USB to a newly built desktop. They encountered repeated 32‑bit versus 64‑bit errors and ultimately abandoned the installer in favor of Windows’ built‑in extraction tools. Nearly two weeks later, Microsoft Defender alerted on the system with a generic detection: Trojan:Win32/Malgent!MSR.

The experience illustrates how a seemingly minor domain mix-up can result in long-lived, unauthorized use of a system when attackers successfully masquerade as trusted software distributors.

A trojanized installer masquerading as legitimate software

This is not a simple case of a malicious download hosted on a random site. The operators behind 7zip[.]com distributed a trojanized installer via a lookalike domain, delivering a functional copy of functional 7‑Zip File Manager alongside a concealed malware payload.

The installer is Authenticode‑signed using a now‑revoked certificate issued to Jozeal Network Technology Co., Limited, lending it superficial legitimacy. During installation, a modified build of 7zfm.exe is deployed and functions as expected, reducing user suspicion. In parallel, three additional components are silently dropped:

• Uphero.exe—a service manager and update loader
• hero.exe—the primary proxy payload (Go‑compiled)
• hero.dll—a supporting library

All components are written to C:\Windows\SysWOW64\hero\, a privileged directory that is unlikely to be manually inspected.

An independent update channel was also observed at update.7zip[.]com/version/win-service/1.0.0.2/Uphero.exe.zip, indicating that the malware payload can be updated independently of the installer itself.

Abuse of trusted distribution channels

One of the more concerning aspects of this campaign is its reliance on third‑party trust. The Reddit case highlights YouTube tutorials as an inadvertent malware distribution vector, where creators incorrectly reference 7zip.com instead of the legitimate domain.

This shows how attackers can exploit small errors in otherwise benign content ecosystems to funnel victims toward malicious infrastructure at scale.

Execution flow: from installer to persistent proxy service

Behavioral analysis shows a rapid and methodical infection chain:

1. File deployment—The payload is installed into SysWOW64, requiring elevated privileges and signaling intent for deep system integration.

2. Persistence via Windows services—Both Uphero.exe and hero.exe are registered as auto‑start Windows services running under System privileges, ensuring execution on every boot.

3. Firewall rule manipulation—The malware invokes netsh to remove existing rules and create new inbound and outbound allow rules for its binaries. This is intended to reduce interference with network traffic and support seamless payload updates.

4. Host profiling—Using WMI and native Windows APIs, the malware enumerates system characteristics including hardware identifiers, memory size, CPU count, disk attributes, and network configuration. The malware communicates with iplogger[.]org via a dedicated reporting endpoint, suggesting it collects and reports device or network metadata as part of its proxy infrastructure.

Functional goal: residential proxy monetization

While initial indicators suggested backdoor‑style capabilities, further analysis revealed that the malware’s primary function is proxyware. The infected host is enrolled as a residential proxy node, allowing third parties to route traffic through the victim’s IP address.

The hero.exe component retrieves configuration data from rotating “smshero”‑themed command‑and‑control domains, then establishes outbound proxy connections on non‑standard ports such as 1000 and 1002. Traffic analysis shows a lightweight XOR‑encoded protocol (key 0x70) used to obscure control messages.

This infrastructure is consistent with known residential proxy services, where access to real consumer IP addresses is sold for fraud, scraping, ad abuse, or anonymity laundering.

Shared tooling across multiple fake installers

The 7‑Zip impersonation appears to be part of a broader operation. Related binaries have been identified under names such as upHola.exe, upTiktok, upWhatsapp, and upWire, all sharing identical tactics, techniques, and procedures:

• Deployment to SysWOW64
• Windows service persistence
• Firewall rule manipulation via netsh
• Encrypted HTTPS C2 traffic

Embedded strings referencing VPN and proxy brands suggest a unified backend supporting multiple distribution fronts.

Rotating infrastructure and encrypted transport

Memory analysis uncovered a large pool of hardcoded command-and-control domains using hero and smshero naming conventions. Active resolution during sandbox execution showed traffic routed through Cloudflare infrastructure with TLS‑encrypted HTTPS sessions.

The malware also uses DNS-over-HTTPS via Google’s resolver, reducing visibility for traditional DNS monitoring and complicating network-based detection.

Evasion and anti‑analysis features

The malware incorporates multiple layers of sandbox and analysis evasion:

• Virtual machine detection targeting VMware, VirtualBox, QEMU, and Parallels
• Anti‑debugging checks and suspicious debugger DLL loading
• Runtime API resolution and PEB inspection
• Process enumeration, registry probing, and environment inspection

Cryptographic support is extensive, including AES, RC4, Camellia, Chaskey, XOR encoding, and Base64, suggesting encrypted configuration handling and traffic protection.

Defensive guidance

Any system that has executed installers from 7zip.com should be considered compromised. While this malware establishes SYSTEM‑level persistence and modifies firewall rules, reputable security software can effectively detect and remove the malicious components. Malwarebytes is capable of fully eradicating known variants of this threat and reversing its persistence mechanisms. In high‑risk or heavily used systems, some users may still choose a full OS reinstall for absolute assurance, but it is not strictly required in all cases.

Users and defenders should:

• Verify software sources and bookmark official project domains
• Treat unexpected code‑signing identities with skepticism
• Monitor for unauthorized Windows services and firewall rule changes
• Block known C2 domains and proxy endpoints at the network perimeter

Researcher attribution and community analysis

This investigation would not have been possible without the work of independent security researchers who went deeper than surface-level indicators and identified the true purpose of this malware family.

• Luke Acha provided the first comprehensive analysis showing that the Uphero/hero malware functions as residential proxyware rather than a traditional backdoor. His work documented the proxy protocol, traffic patterns, and monetization model, and connected this campaign to a broader operation he dubbed upStage Proxy. Luke’s full write-up is available on his blog.
• s1dhy expanded on this analysis by reversing and decoding the custom XOR-based communication protocol, validating the proxy behavior through packet captures, and correlating multiple proxy endpoints across victim geolocations. Technical notes and findings were shared publicly on X (Twitter).
• Andrew Danis contributed additional infrastructure analysis and clustering, helping tie the fake 7-Zip installer to related proxyware campaigns abusing other software brands.

Additional technical validation and dynamic analysis were published by researchers at RaichuLab on Qiita and WizSafe Security on IIJ.

Their collective work highlights the importance of open, community-driven research in uncovering long-running abuse campaigns that rely on trust and misdirection rather than exploits.

Closing thoughts

This campaign demonstrates how effective brand impersonation combined with technically competent malware can operate undetected for extended periods. By abusing user trust rather than exploiting software vulnerabilities, attackers bypass many traditional security assumptions—turning everyday utility downloads into long‑lived monetization infrastructure.

Malwarebytes detects and blocks known variants of this proxyware family and its associated infrastructure.

Indicators of Compromise (IOCs)

File paths

• C:\Windows\SysWOW64\hero\Uphero.exe
• C:\Windows\SysWOW64\hero\hero.exe
• C:\Windows\SysWOW64\hero\hero.dll

File hashes (SHA-256)

• e7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027 (Uphero.exe)
• b7a7013b951c3cea178ece3363e3dd06626b9b98ee27ebfd7c161d0bbcfbd894 (hero.exe)
• 3544ffefb2a38bf4faf6181aa4374f4c186d3c2a7b9b059244b65dce8d5688d9 (hero.dll)

Network indicators

Domains:

• soc.hero-sms[.]co
• neo.herosms[.]co
• flux.smshero[.]co
• nova.smshero[.]ai
• apex.herosms[.]ai
• spark.herosms[.]io
• zest.hero-sms[.]ai
• prime.herosms[.]vip
• vivid.smshero[.]vip
• mint.smshero[.]com
• pulse.herosms[.]cc
• glide.smshero[.]cc
• svc.ha-teams.office[.]com
• iplogger[.]org

Observed IPs (Cloudflare-fronted):

• 104.21.57.71
• 172.67.160.241

Host-based indicators

• Windows services with image paths pointing to C:\Windows\SysWOW64\hero\
• Firewall rules named Uphero or hero (inbound and outbound)
• Mutex: Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

London, UK, February 16, 2026 – Heimdal today announced an industry-first approach to Cyber Essentials readiness by publishing a Cyber Essentials control mapping for Privilege Elevation and Delegation Management (PEDM), helping organisations and MSPs enforce least privilege and evidence stronger control over administrative access. Privileged access remains one of the most exploited paths in modern […]

The post Heimdal Claims Industry First With a Cyber Essentials Control Mapping for PEDM to Help Organisations Prove Least Privilege appeared first on Heimdal Security Blog.

Last week on Malwarebytes Labs:

• Apple Pay phish uses fake support calls to steal payment details
• Open the wrong “PDF” and attackers gain remote access to your PC
• Flock cameras shared license plate data without permission
• Grok continues producing sexualized images after promised fixes
• Firefox is giving users the AI off switch
• An AI plush toy exposed thousands of private chats with children
• AT&T breach data resurfaces with new risks for customers
• Apple’s new iOS setting addresses a hidden layer of location tracking
• [updated] A fake cloud storage alert that ends at Freecash
• How Manifest v3 forced us to rethink Browser Guard, and why that’s a good thing
• Scam-checking just got easier: Malwarebytes is now in ChatGPT
• How fake party invitations are being used to install remote access tools

Stay safe!

The Microsoft Defender Research Team observed a multi‑stage intrusion where threat actors exploited internet‑exposed SolarWinds Web Help Desk (WHD) instances to get an initial foothold and then laterally moved towards other high-value assets within the organization. However, we have not yet confirmed whether the attacks are related to the most recent set of WHD vulnerabilities disclosed on January 28, 2026, such as CVE-2025-40551 and CVE-2025-40536 or stem from previously disclosed vulnerabilities like CVE-2025-26399. Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold.

This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored. In this intrusion, attackers relied heavily on living-off-the-land techniques, legitimate administrative tools, and low-noise persistence mechanisms. These tradecraft choices reinforce the importance of Defense in Depth, timely patching of internet-facing services, and behavior-based detection across identity, endpoint, and network layers.

In this post, the Microsoft Defender Research Team shares initial observations from the investigation, along with detection and hunting guidance and security posture hardening recommendations to help organizations reduce exposure to this threat. Analysis is ongoing, and this post will be updated as additional details become available.

Technical details

The Microsoft Defender Research Team identified active, in-the-wild exploitation of exposed SolarWinds Web Help Desk (WHD). Further investigations are in-progress to confirm the actual vulnerabilities exploited, such as CVE-2025-40551 (critical untrusted data deserialization) and CVE-2025-40536 (security control bypass) and CVE-2025-26399. Successful exploitation allowed the attackers to achieve unauthenticated remote code execution on internet-facing deployments, allowing an external attacker to execute arbitrary commands within the WHD application context.

Upon successful exploitation, the compromised service of a WHD instance spawned PowerShell to leverage BITS for payload download and execution:

On several hosts, the downloaded binary installed components of the Zoho ManageEngine, a legitimate remote monitoring and management (RMM) solution, providing the attacker with interactive control over the compromised system. The attackers then enumerated sensitive domain users and groups, including Domain Admins. For persistence, the attackers established reverse SSH and RDP access. In some environments, Microsoft Defender also observed and raised alerts flagging attacker behavior on creating a scheduled task to launch a QEMU virtual machine under the SYSTEM account at startup, effectively hiding malicious activity within a virtualized environment while exposing SSH access via port forwarding.

SCHTASKS /CREATE /V1 /RU SYSTEM /SC ONSTART /F /TN "TPMProfiler" /TR 		"C:\Users\\tmp\qemu-system-x86_64.exe -m 1G -smp 1 -hda vault.db -		device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::22022-:22"

On some hosts, threat actors used DLL sideloading by abusing wab.exe to load a malicious sspicli.dll. The approach enables access to LSASS memory and credential theft, which can reduce detections that focus on well‑known dumping tools or direct‑handle patterns. In at least one case, activity escalated to DCSync from the original access host, indicating use of high‑privilege credentials to request password data from a domain controller. In ne next figure we highlight the attack path.

Mitigation and protection guidance

• Patch and restrict exposure now. Update WHD CVE-2025-40551, CVE-2025-40536 and CVE-2025-26399, remove public access to admin paths, and increase logging on Ajax Proxy.
• Evict unauthorized RMM. Find and remove ManageEngine RMM artifacts (for example, ToolsIQ.exe) added after exploitation.
• Reset and isolate. Rotate credentials (start with service and admin accounts reachable from WHD), and isolate compromised hosts.

Microsoft Defender XDR detections 

Microsoft Defender provides pre-breach and post-breach coverage for this campaign. Customers can rapidly identify vulnerable but unpatched WHD instances at risk using MDVM capabilities for the CVE referenced above and review the generic and specific alerts suggested below providing coverage of attacks across devices and identity.

Microsoft Defender XDR Hunting queries   

Security teams can use the advanced hunting capabilities in Microsoft Defender XDR to proactively look for indicators of exploitation.

The following Kusto Query Language (KQL) query can be used to identify devices that are using the vulnerable software:

1) Find potential post-exploitation execution of suspicious commands

DeviceProcessEvents 
| where InitiatingProcessParentFileName endswith "wrapper.exe" 
| where InitiatingProcessFolderPath has \\WebHelpDesk\\bin\\ 
| where InitiatingProcessFileName  in~ ("java.exe", "javaw.exe") or InitiatingProcessFileName contains "tomcat" 
| where FileName  !in ("java.exe", "pg_dump.exe", "reg.exe", "conhost.exe", "WerFault.exe") 
 
 
let command_list = pack_array("whoami", "net user", "net group", "nslookup", "certutil", "echo", "curl", "quser", "hostname", "iwr", "irm", "iex", "Invoke-Expression", "Invoke-RestMethod", "Invoke-WebRequest", "tasklist", "systeminfo", "nltest", "base64", "-Enc", "bitsadmin", "expand", "sc.exe", "netsh", "arp ", "adexplorer", "wmic", "netstat", "-EncodedCommand", "Start-Process", "wget"); 
let ImpactedDevices =  
DeviceProcessEvents 
| where isnotempty(DeviceId) 
| where InitiatingProcessFolderPath has "\\WebHelpDesk\\bin\\" 
| where ProcessCommandLine has_any (command_list) 
| distinct DeviceId; 
DeviceProcessEvents 
| where DeviceId in (ImpactedDevices | distinct DeviceId) 
| where InitiatingProcessParentFileName has "ToolsIQ.exe" 
| where FileName != "conhost.exe"

2) Find potential ntds.dit theft

DeviceProcessEvents
| where FileName =~ "print.exe"
| where ProcessCommandLine has_all ("print", "/D:", @"\windows\ntds\ntds.dit")

3) Identify vulnerable SolarWinds WHD Servers

 DeviceTvmSoftwareVulnerabilities 
| where CveId has_any ('CVE-2025-40551', 'CVE-2025-40536', 'CVE-2025-26399')

References

• CVE-2025-40551: SolarWinds Web Help Desk RCE | Horizon3.ai
• NVD – CVE-2025-40551
• SolarWinds Trust Center Security Advisories | CVE-2025-40551
• NVD – CVE-2025-40536
• SolarWinds Trust Center Security Advisories | CVE-2025-40536
• NVD – CVE-2025-26399SolarWinds Trust Center Security Advisories | CVE-2025-26399
• WHD 2026.1 release notes
• Known Exploited Vulnerabilities Catalog | CISA

This research is provided by Microsoft Defender Security Research with contributions from Sagar Patil, Hardik Suri, Eric Hopper, and Kajhon Soyini.

Learn more   

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.  

Learn more about securing Copilot Studio agents with Microsoft Defender 

Learn more about Protect your agents in real-time during runtime (Preview) – Microsoft Defender for Cloud Apps | Microsoft Learn

Explore how to build and customize agents with Copilot Studio Agent Builder  

The post Analysis of active exploitation of SolarWinds Web Help Desk appeared first on Microsoft Security Blog.

We introduce a novel method that maps cloud alert trends to MITRE ATT&CK techniques. The patterns created could identify threat actors by behavior.

The post Novel Technique to Detect Cloud Threat Actor Operations appeared first on Unit 42.