No Malware. No Alerts. 216 Servers Gone.

Security researchers uncovered a large-scale campaign where threat actors exploited SolarWinds Web Help Desk deserialization RCE (CVE-2025-26399 and related bypasses) to compromise at least 216 hosts across 34 Active Directory domains, deploy legitimate management/DFIR tools and QEMU-based persistence, and exfiltrate structured system metadata to a disposable Elastic Cloud SIEM trial which they used to triage and prioritize further intrusion; the report provides technical details, IOCs (IPs, disposable email patterns, Kibana artifacts), and pragmatic detection and remediation guidance including immediate patching to WHD 2026.1, hunting for unexpected QEMU processes, and monitoring anomalous API key usage.