{ "id": "222523c4-6af3-4375-a6df-3ea691f013d1", "created_at": "2026-04-06T00:06:12.365013Z", "updated_at": "2026-04-10T13:12:40.599915Z", "deleted_at": null, "sha1_hash": "02a8ed2336769d8ebecccba920cdc90ae3237a0a", "title": "Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 923610, "plain_text": "Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response\r\nto Recent SolarWinds Serv-U Exploit Campaign\r\nBy Alex Clinton - Tasha Robinson\r\nArchived: 2026-04-05 17:15:52 UTC\r\nThis blog describes how the CrowdStrike Falcon® Complete™ team quickly responded to a recent campaign\r\ninvolving the SolarWinds Serv-U product exploitation. SolarWinds issued a public notice of the vulnerability in\r\nJuly 2021 along with releasing a hotfix to mitigate the exploit. The National Vulnerability Database has more\r\ndetails, found here: CVE-2021-35211. The Falcon Complete team identified active implants at multiple customers\r\nand neutralized the threat by performing network containment of the affected systems, preventing any further\r\nlateral movement or follow-on activity. Investigation revealed that the threat actor attempted to deploy additional\r\ntooling, which likely indicated preparation for ransomware. One of the unique artifacts about this campaign is the\r\nmulti-stage Component Object Model (COM) persistence mechanism used, allowing an attacker to execute\r\narbitrary code on behalf of a trusted process. Although machine-based detections are highly effective at\r\nuncovering intrusion activity, today’s sophisticated adversaries can fly under the radar by abusing trusted\r\nprocesses to gain access to an environment, underscoring the need for human expertise in tracking and\r\nneutralizing threats. The events outlined in this blog have been attributed to the GRACEFUL SPIDER adversary\r\ngroup by CrowdStrike Intelligence. GRACEFUL SPIDER is suspected to be operating out of Eastern Europe and\r\nRussia. They have typically been seen targeting companies in a variety of sectors across the world. The common\r\nmonetization techniques are requiring ransom payments through cryptocurrency, extorting stolen data if the\r\nransom is not paid, engaging in monetary theft through wire fraud from victim accounts, and likely selling\r\npayment card data via criminal marketplaces.\r\nThe Initial Detection\r\nEarly in the adversary’s post-exploitation activity, a CrowdStrike Falcon® detection was triggered on an MFT\r\nserver for execution of a reverse shell with a parent process of WINLOGON.EXE. Analysis of the SYSINFO.EXE\r\nbinary indicated that TinyMet, which is an open-source Meterpreter-based reverse shell, was used to provide the\r\nattackers with access to the target host. In addition, network telemetry from both of these processes indicated they\r\nwere attempting to communicate with suspicious IPs.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/\r\nPage 1 of 8\n\nFigure\r\n1. TinyMet shell execution\r\nSoon after, another detection was triggered for encoded PowerShell execution with a parent process of\r\nSVCHOST.EXE. Decoding this PowerShell confirmed that it was malicious as it used randomly named variables\r\nand attempted to execute content pulled from a registry key, both of which would be highly abnormal for a\r\nlegitimate script.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/\r\nPage 2 of 8\n\nFigure 2. Encoded PowerShell execution\r\nBoth of these actions were prevented by Falcon, but the active connections to suspicious infrastructure and\r\nexecution of a malicious PowerShell script, without an obvious source for either, indicated there was an\r\nunresolved threat on the device. The host was immediately network-contained and isolated to prevent further\r\nactions on the objective, while Falcon Complete continued its investigation to ascertain the source of the threat.\r\nFigure 3. Network Containment\r\nThe malicious activity being executed by legitimate Windows processes as well as the SYSTEM user account\r\nindicated that the host may have been compromised by a public-facing exploit and not another attack vector such\r\nas a user-level phish. In addition, as a portion of the suspicious activity was originating from legitimate\r\nWINLOGON.EXE processes, there was a high likelihood of process injection. From here, the Falcon Complete\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/\r\nPage 3 of 8\n\nteam pivoted the investigation into endpoint activity monitoring (EAM) data to gain further context and determine\r\nthe origin of the activity.\r\nInvestigation with Endpoint Detection and Response Data\r\nOnce Falcon Complete reviewed the detection information at hand and confirmed that the activity noted was\r\nmalicious, the next step was to identify the full scope of the threat. This is where Falcon Complete’s knowledge\r\nand skill set come into play. Let’s take a step back and outline what occurred.\r\nFinding the Foothold\r\nIn order to prevent further malicious activity, the Falcon Complete team needs to identify how the threat actor\r\nmanaged to gain a foothold on the host. Based on the data reviewed thus far, the team suspected that the adversary\r\nmay have gained access to this host through exploitation of a public-facing service. By viewing the running\r\nprocesses on the device, Falcon Complete was able to see that it hosted a SolarWinds Serv-U FTP server.\r\nSearching through various sources for the hash of the associated process provided the version number of the\r\nsoftware.\r\nFigure 4. SolarWinds Serv-U Version Information\r\nA quick search for this version confirmed that there are multiple known exploits including CVE-2021-35211, for\r\nwhich a CISA advisory had recently been released. Our starting point in this investigation was the malicious usage\r\nof the legitimate WINLOGON.EXE process. This process is often used by threat actors hoping to achieve further\r\nstealth via process injection. The following EAM search was used to identify process injection attempts on the\r\nhost.\r\n(event_simpleName=*Reflective* OR DetectName=*Reflective* AND ReflectiveDllName!=NULL) OR (event_simpleName=*In\r\n| table _time aid event_simpleName ComputerName InjectorImageFileName InjecteeImageFileName Reflective* Injecte\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/\r\nPage 4 of 8\n\nFigure 5. Process injection chain (Click to enlarge)\r\nBased on the information in Figure 5, we are able to see that Serv-U.exe was the initial source of the injection into\r\nlsass.exe, followed by lsass.exe injection into winlogon.exe. Lsass.exe was also used to perform injection into\r\nexplorer.exe. This injection chain confirmed that Serv-U was the source of the infection. In addition, utilizing\r\nFalcon’s Process Timeline dashboard, the IP performing the initial exploitation could be identified.\r\nFigure 6. Falcon Process Timeline: Serv-U\r\nFinally, by reviewing the Process Timeline for each of the injected processes during the relevant times, we are able\r\nto see that the adversary attempted to deploy additional tooling including the previously identified TinyMet shell,\r\na Cobalt Strike beacon (which was prevented by Falcon), and a copy of AdFind. Tools like TinyMet and Cobalt\r\nStrike are often used by eCrime groups, including GRACEFUL SPIDER, to sell or transition access to an\r\nenvironment. These remote access tools (RATs) along with AdFind (generally used for enumeration of the\r\nenvironment) will often indicate the initial steps taken by a threat actor before the deployment of ransomware. The\r\nincrease in ransomware broker networks highlights the necessity for quick action when detections are triggered on\r\na host.\r\nPersistence\r\nWhen any compromise is identified, Falcon Complete will always ensure the host and the customer environment\r\nis brought to a clean state before resolution of the incident. The next stage was to identify any mechanisms the\r\nthreat actor had used to keep their foothold on the host. Although a variety of persistence mechanisms was\r\nreviewed, an investigation of scheduled tasks on the host quickly revealed a multi-stage execution chain utilizing\r\nCOM registry objects. Although the source of the infection was identified, the host still had multiple detections\r\ntriggered for Base64-encoded PowerShell execution unrelated to WinLogon. This indicated that the threat actor\r\nhad likely established a persistence mechanism on the host, potentially using a scheduled task due to the\r\nfrequency of incoming detections. A search for recently registered scheduled tasks on the host revealed a single\r\ntask that pointed to a COM object within the Windows registry.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/\r\nPage 5 of 8\n\nFigure 7. Scheduled task registration (Click to enlarge)\r\nThis scheduled task is a known default scheduled task that appears on many Windows hosts, making it an easy\r\ntarget for the threat actor to target and point it to their malicious COM object. COM objects within the Windows\r\nregistry are effective locations to hide malware, as they will allow for some forms of auto-execution without being\r\nin an obvious location. This feature is used legitimately by a variety of software on Windows, but in this case it\r\nwas hijacked for malicious code execution. At this point, Falcon Complete was able to pivot to Falcon Real Time\r\nResponse (RTR) on the host for further analysis. RTR provides analysts with a shell on the host to quickly validate\r\nand complement data found within EAM. In addition, once investigation is complete, RTR can be used to perform\r\nremediation of malicious artifacts on the host. A review of this COM object using RTR identified a TreatAs key\r\npointing to a second COM object registry key.\r\nFigure 8. Malicious COM object (Click to enlarge)\r\nA review of the second registry key revealed the Base64-encoded PowerShell that had been attempting to execute,\r\nas shown in Figure 2. Decoding this revealed a PowerShell command to pull the contents of a third COM-based\r\nregistry key and execute it. The script found within the third key was encoded and lightly obfuscated with unused\r\ncode. When decoded and deobfuscated, we were able to confirm that the script would clear the host’s EventLog,\r\nbut its primary function was to load a DLL into memory, which was located within a fourth registry key.\r\nFigure 9. Malicious PowerShell snippet\r\nAnalysis of the DLL by the CrowdStrike Intelligence team confirmed that it located the payload at a fifth and final\r\nregistry key calculated using the hostname and drive serial number. The malware loaded from this location was a\r\nRAT unique to GRACEFUL SPIDER called FlawedGrace. This persistence chain was relatively stealthy, as it kept\r\nthe malicious content largely in memory, except for additional tooling deployed.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/\r\nPage 6 of 8\n\nFigure 10. Persistence chain\r\nAnalysis of this persistence mechanism by the Falcon Complete team, as well as partnership with the CrowdStrike\r\nFalcon® OverWatch™ and CrowdStrike Intelligence teams, allowed for quick attribution of this incident to\r\nGRACEFUL SPIDER, as well as identification of malicious artifacts at affected customers.\r\nThe Remediation\r\nOnce triage and investigation reached a conclusion, the Falcon Complete team remediated the host of any\r\nmalicious artifacts associated with this incident. This includes all persistence mechanisms, which in this case were\r\nthe elusive COM registry objects:\r\nHKLM\\Software\\Classes\\CLSID\\(unique ID_1)\\TreatAs\r\nHKLM\\Software\\Classes\\CLSID\\(unique ID_2)\\LocalServer\r\nHKLM\\Software\\Classes\\CLSID\\(unique ID_2)\\ProgID\r\nHKLM\\Software\\Classes\\CLSID\\(unique ID_2)\\VersionIndependentProgID\r\nThe additional tooling identified in EAM (TinyMet shell and AdFind) was ultimately blocked and then\r\nquarantined by the Falcon sensor. They were not found on disk and did not require any additional action to\r\nremediate. As part of the investigation, the team identified multiple injected processes on the host. In order to\r\ncompletely clean the system and prevent reinfection, these processes were terminated, including the original\r\nsource, Serv-U.exe. Along with Falcon Complete’s remediation summary, the affected customers were provided\r\nwith all indicators of compromise and a list of all available patches applicable to the system to prevent any further\r\nexploitation in the future. Falcon Complete recommended blocking the associated IPs at the perimeter, resetting\r\npasswords for all user accounts on the affected systems (due to the compromise of LSASS), and applying all\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/\r\nPage 7 of 8\n\navailable patches as soon as possible. The customers promptly performed these actions in order to prevent the\r\npossibility of data exfiltration and ransomware deployment.\r\nAssociated C2 Activity\r\n46.161.40\u003c.\u003e87 - Injected WinLogon\r\n179.60.150\u003c.\u003e26 - TinyMetShell C2\r\n179.60.150\u003c.\u003e32 - Cobalt Strike C2\r\n45.129.137\u003c.\u003e232 - remote IP contacted by exploited Serv-U.exe process\r\nConclusion\r\nFalcon Complete identified an active campaign on public-facing Serv-U MFT servers, contained the activity and\r\nprevented the attacker from completing their actions on objectives. The team leveraged EAM, the Falcon Process\r\nTimeline dashboard, Falcon RTR, and some open-source intelligence (OSINT) to quickly shut down this\r\nattempted breach in real time. In addition to removing the associated artifacts, Falcon Complete identified the\r\nvulnerable application being exploited early on and was able to quickly provide all affected customers with the\r\ncritical, time-sensitive information they needed to patch their vulnerable public-facing MFT servers, secure their\r\nbusiness from further attacks and check other servers for vulnerabilities. In rare cases where the hosts were not\r\npatched in a timely fashion, GRACEFUL SPIDER has been known to return for further attempts to deliver Cobalt\r\nStrike beacons. These attempts were quickly blocked by the Falcon agent. Campaigns such as these illustrate the\r\npersistence and stealth tactics that can be employed by an adversary like GRACEFUL SPIDER to gain and keep a\r\nfoothold in target organizations. Fortunately, Falcon provides the telemetry and tools to quickly identify,\r\ninvestigate and remediate attacks that remain largely in memory, such as this one. The Falcon Complete team\r\nworks closely with the Falcon OverWatch and CrowdStrike Intelligence teams, applying vast skill sets to enable\r\norganizations to investigate and identify threat groups quickly — and fueling our mission to stop breaches.\r\nAdditional Resources\r\nLearn more by visiting the Falcon Complete product webpage.\r\nRead a white paper: CrowdStrike Falcon® Complete: Instant Cybersecurity Maturity for Organizations of\r\nAll Sizes.\r\nRead about adversaries tracked by CrowdStrike in 2020 in the 2021 CrowdStrike Global Threat Report.\r\nTest CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™.\r\nSource: https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/" ], "report_names": [ "how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433972, "ts_updated_at": 1775826760, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/02a8ed2336769d8ebecccba920cdc90ae3237a0a.pdf", "text": "https://archive.orkl.eu/02a8ed2336769d8ebecccba920cdc90ae3237a0a.txt", "img": "https://archive.orkl.eu/02a8ed2336769d8ebecccba920cdc90ae3237a0a.jpg" } }