Even the Microsoft Defender Analysis Group, which detected WHD assaults on its clients earlier than Christmas, was not sure precisely which mixture had let attackers in: “For the reason that assaults occurred in December 2025 and on machines weak to each the previous and new set of CVEs on the identical time, we can not reliably affirm the precise CVE used to realize an preliminary foothold,” Microsoft researchers wrote on February 6.
Nevertheless, in latest days Huntress confirmed what was at all times the probably rationalization: Attackers had focused three of its clients by chaining each of the above flaws together with an older RCE deserialization vulnerability, the critical-rated CVE-2025-26399, made public final September.
As soon as the techniques have been compromised, the assaults detected by Huntress used a mix of methods to burrow deeper whereas hiding themselves, together with deploying the open-source Velociraptor forensic device as a C2 connection backed by an encrypted Cloudflared outbound tunnel.
