Even the Microsoft Defender Research Team, which detected WHD attacks on its customers before Christmas, was unsure exactly which combination had let attackers in: “Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,” Microsoft researchers wrote on February 6.
However, in recent days Huntress confirmed what was always the most likely explanation: Attackers had targeted three of its customers by chaining both of the above flaws in combination with an older RCE deserialization vulnerability, the critical-rated CVE-2025-26399, made public last September.
Once the systems were compromised, the attacks detected by Huntress used a mixture of techniques to burrow deeper while hiding themselves, including deploying the open-source Velociraptor forensic tool as a C2 connection backed by an encrypted Cloudflared outbound tunnel.
