{ "id": "d7c51055-5436-4d65-b4c4-b3168b7ebcb1", "created_at": "2026-04-06T00:18:50.963296Z", "updated_at": "2026-04-10T03:37:33.329864Z", "deleted_at": null, "sha1_hash": "0911d79019d73014240db5bcf5cda9767a8f311d", "title": "SUNBURST: SolarWinds' Supply-Chain Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56720, "plain_text": "SUNBURST: SolarWinds' Supply-Chain Attack\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 18:29:20 UTC\r\nThreat Detection Packages\r\nSUNBURST Known Malicious DNS Activity\r\n•\r\nSplunk\r\n•\r\nElastic Lucene\r\n•\r\nElastic DSL\r\nSUNBURST Suspicious Processes for SolarWinds Orion Software\r\n•\r\nSplunk\r\n•\r\nElastic Lucene\r\n•\r\nElastic DSL\r\nSUNBURST Named Pipe Indicator\r\n•\r\nSplunk\r\n•\r\nElastic Lucene\r\n•\r\nElastic DSL\r\nIntroduction\r\nhttps://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/\r\nPage 1 of 8\n\nLast week\r\nFireEye\r\nshared that\r\nthey\r\nexperienced\r\nunauthorized access and theft of their\r\noffensive security\r\ntools\r\nused\r\nby their red team\r\n, by a sophisticated state-sponsored adversary\r\n.\r\nAlthough the theft of these sophisticated tools will\r\nhave\r\nan impact on future attacks carried out by the adversary, how they accessed the tools was\r\na much bigger problem. Over the weekend FireEye\r\nshared more details of their compromise and broke the news\r\nthat\r\nthey fell victim to a supply-chain attack involving\r\nthe\r\nIT services\r\ncompany SolarWinds\r\n. FireEye reported the SolarWinds Orion software update had a backdoor injected into its code\r\n,\r\nwhich SolarWinds believed to have been included in updates\r\nreleased between March and June 2020\r\n. It should be noted,\r\nhttps://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/\r\nPage 2 of 8\n\nh\r\nowever\r\n,\r\nthat\r\nsome researchers\r\nhave\r\nreport\r\ned\r\nseeing activity as early as late 2019\r\n.\r\nThe backdoor was dubbed SUNBURST by FireEye.\r\n[hubspot type=cta portal=7924572 id=ec572148-ebc2-449f-8ccc-0353bc94df5e]\r\nThis supply-chain attack still\r\nhas an\r\nunknown impact\r\n. According to SolarWinds’ website their customer\r\ns\r\ninclude\r\nmany\r\nU.S. Government agencies, as well as\r\na significant\r\npercentage\r\nof the Fortune 500.\r\nAccording to\r\na recent filing\r\nwith the\r\nUS\r\nhttps://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/\r\nPage 3 of 8\n\nSecurities and Exchange Commission\r\n(SEC)\r\nit is\r\nestimate\r\nd that at least 18,000 installed the\r\nmalicious\r\nupdate\r\n.\r\nDue to the nature of the attack, including the supply-chain compromise,\r\nthe\r\nactor’s extreme attention to detail and operational security, as well as the high-profile targets who were successfully\r\ncompromised as a result of the attack,\r\nit is suspected that it was conducted by a nation-state sponsored group.\r\nVolexity\r\nresearchers\r\nhave\r\nattributed this\r\nattack to a threat actor under the name of Dark Halo\r\n, whom they have been tracking since late 2019\r\n.\r\nSUNBURST, the implant delivered via the backdoored SolarWinds Orion update,\r\nwas found in one of the DLL files contained in the update, specifically\r\n“\r\nSolarWinds\r\n.Orion.Core.BusinessLayer.dll\r\n”\r\n.\r\nhttps://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/\r\nPage 4 of 8\n\nAccording to\r\nFireEye\r\n, the backdoor has a dormant period of up to two weeks, and then will attempt to resolve a subdomain of\r\navsvmcloud\r\n[\r\n.\r\n]com\r\n, which\r\nwill return a\r\nDNS\r\nCNAME record\r\npointing\r\nto a\r\nc\r\nommand\r\nand\r\nc\r\nontrol\r\n(C2)\r\ndomain. We go into detail on the functionality of SUNBURST\r\nin our\r\nCyborg Labs Threat Hunt\r\nDeep Dive\r\n,\r\nin which we review the SolarWinds supply-chain compromise, and examine the SUNBURST implant and how it\r\nbehaves in an environment.\r\nUPDATE: 17 December 2020\r\nhttps://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/\r\nPage 5 of 8\n\nWe are releasing 3 threat detection packages that will allow organizations to detect SUNBURST activity in their\r\nenvironment.\r\nThreat Detection Packages\r\nSUNBURST Known Malicious DNS Activity\r\nSplunk\r\n(query_type IN (\"CNAME\",\"A\") AND (query=\"*avsvmcloud.com\" OR answer=\"*avsvmcloud.com\")) OR\r\n(query_type=\"A\" AND query IN (\"deftsecurity.com\",\"freescanonline.com\", \"thedoccloud.com\", \"websitetheme.com\",\r\n\"highdatabase.com\", \"incomeupdate.com\", \"databasegalore.com\", \"panhardware.com\", \"zupertech.com\",\r\n\"freescanonline.com\", \"deftsecurity.com\", \"thedoccloud.com\"))\r\n| stats values(_time) as occurrences count by src, query, query_type, answer\r\n| convert ctime(occurrences)\r\nElastic Lucene\r\n((dns.question.name:\"/.*avsvmcloud\\\\.com/\" or dns.answer.name:\"/.*avsvmcloud\\\\.com/\") and\r\n(dns.question.type:\"/[Cc][Nn][Aa][Mm][Ee]|[Aa]/\" or dns.answer.type:\"/[Cc][Nn][Aa][Mm][Ee]|[Aa]/\")) or\r\n(dns.question.name:(\"deftsecurity.com\" or \"freescanonline.com\" or \"thedoccloud.com\" or \"websitetheme.com\" or\r\n\"highdatabase.com\" or \"incomeupdate.com\" or \"databasegalore.com\" or \"panhardware.com\" or \"zupertech.com\" or\r\n\"freescanonline.com\" or \"deftsecurity.com\" or \"thedoccloud.com\") and (dns.question.type:\"/[Aa]/\" or\r\ndns.answer.type:\"/[Aa]/\"))((dns.question.name:\"/.*avsvmcloud\\\\.com/\" or dns.answer.name:\"/.*avsvmcloud\\\\.com/\")\r\nand (dns.question.type:\"/[Cc][Nn][Aa][Mm][Ee]|[Aa]/\" or dns.answer.type:\"/[Cc][Nn][Aa][Mm][Ee]|[Aa]/\")) or\r\n(dns.question.name:(\"deftsecurity.com\" or \"freescanonline.com\" or \"thedoccloud.com\" or \"websitetheme.com\" or\r\n\"highdatabase.com\" or \"incomeupdate.com\" or \"databasegalore.com\" or \"panhardware.com\" or \"zupertech.com\" or\r\n\"freescanonline.com\" or \"deftsecurity.com\" or \"thedoccloud.com\") and (dns.question.type:\"/[Aa]/\" or\r\ndns.answer.type:\"/[Aa]/\"))\r\nElastic DSL\r\n{ \"bool\": { \"should\": [ { \"bool\": { \"must\": [ { \"query_string\": { \"fields\": [ \"dns.question.type\", \"dns.answer.type\" ],\r\n\"query\": \"/[Cc][Nn][Aa][Mm][Ee]|[Aa]/\" } }, { \"query_string\": { \"fields\": [ \"dns.question.name\", \"dns.answers.name\"\r\n], \"query\": \"/.*avsvmcloud\\\\.com/\" } } ] } }, { \"bool\": { \"filter\": [ { \"terms\": { \"dns.question.name\": [\r\n\"deftsecurity.com\", \"freescanonline.com\", \"thedoccloud.com\", \"websitetheme.com\", \"highdatabase.com\",\r\n\"incomeupdate.com\", \"databasegalore.com\", \"panhardware.com\", \"zupertech.com\", \"freescanonline.com\",\r\n\"deftsecurity.com\", \"thedoccloud.com\" ] } } ], \"must\": [ { \"query_string\": { \"fields\": [ \"dns.answer.type\",\r\n\"dns.question.type\" ], \"query\": \"/[Aa]/\" } } ] } } ] }\r\n}\r\nSUNBURST Suspicious Processes for SolarWinds Orion Software\r\nSplunk\r\nhttps://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/\r\nPage 6 of 8\n\nindex=sysmon sourcetype=\"sysmon:xml\" ParentImage = \"SolarWinds.BusinessLayerHost.exe\" AND NOT Image IN\r\n(\"*\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\",\r\n\"*\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\",\"*\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\",\r\n\"*\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\", \"*\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\", \"*\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\",\r\n\"*\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\r\n| stats values(_time) as occurrences, values(Image) as ChildProcesses, values(CommandLine) as CommandLines\r\ncount by host, ParentImage\r\n| convert ctime(occurrences)\r\nElastic Lucene\r\nparent.process.executable:\"/.*[Ss][Oo][Ll][Aa][Rr][Ww][Ii][Nn][Dd][Ss]\\\\.[Bb][Uu][Ss][Ii][Nn][Ee][Ss]+[Ll][Aa]\r\n[Yy][Ee][Rr][Hh][Oo][Ss][Tt]\\\\.[Ee][Xx][Ee]/\" and not\r\n(process.executable:\"/.*\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault\\\\.exe/\" OR\r\nprocess.executable:\"/.*\\\\\\\\SolarWinds\\\\.Orion\\\\.ApiPoller\\\\.Service\\\\\\\\SolarWinds\\\\.Orion\\\\.ApiPoller\\\\.Service\\\\.exe/\"\r\nor process.executable:\"/.*\\\\\\\\SolarWinds\\\\\\\\Orion\\\\\\\\Database-Maint\\\\.exe/\" or\r\nprocess.executable:\"/.*\\\\\\\\SolarWinds\\\\\\\\Orion\\\\\\\\Topology\\\\\\\\SolarWinds\\\\.Orion\\\\.Topology\\\\.Calculator\\\\.exe/\" or\r\nprocess.executable:\"/.*\\\\\\\\SolarWinds\\\\\\\\Orion\\\\\\\\ExportToPDFCmd\\\\.exe/\" or\r\nprocess.executable:\"/.*\\\\\\\\SolarWinds\\\\\\\\Orion\\\\\\\\APM\\\\\\\\APMServiceControl\\\\.exe/\" or\r\nprocess.executable:\"/.*\\\\\\\\SolarWinds.Credentials\\\\\\\\SolarWinds\\\\.Credentials\\\\.Orion\\\\.WebApi\\\\.exe/\")\r\nElastic DSL\r\n{ \"bool\": { \"must\": [ { \"query_string\": { \"query\": \"/.*[Ss][Oo][Ll][Aa][Rr][Ww][Ii][Nn][Dd][Ss]\\\\.[Bb][Uu][Ss][Ii]\r\n[Nn][Ee][Ss]+[Ll][Aa][Yy][Ee][Rr][Hh][Oo][Ss][Tt]\\\\.[Ee][Xx][Ee]/\", \"fields\": [ \"process.parent.executable\" ] } } ],\r\n\"must_not\": [ { \"query_string\": { \"query\": \"/.*\\\\\\\\SolarWinds\\\\\\\\Orion\\\\\\\\APM\\\\\\\\APMServiceControl\\\\.exe/\", \"fields\":\r\n[ \"process.executable\" ] } }, { \"query_string\": { \"query\": \"/.*\\\\\\\\SolarWinds\\\\\\\\Orion\\\\\\\\ExportToPDFCmd\\\\.exe/\",\r\n\"fields\": [ \"process.executable\" ] } }, { \"query_string\": { \"query\":\r\n\"/.*\\\\\\\\SolarWinds\\\\\\\\Orion\\\\\\\\Topology\\\\\\\\SolarWinds\\\\.Orion\\\\.Topology\\\\.Calculator\\\\.exe/\", \"fields\": [\r\n\"process.executable\" ] } }, { \"query_string\": { \"query\": \"/.*\\\\\\\\SolarWinds\\\\\\\\Orion\\\\\\\\Database-Maint\\\\.exe/\", \"fields\":\r\n[ \"process.executable\" ] } }, { \"query_string\": { \"query\":\r\n\"/.*\\\\\\\\SolarWinds\\\\.Orion\\\\.ApiPoller\\\\.Service\\\\\\\\SolarWinds.Orion\\\\.ApiPoller\\\\.Service\\\\.exe/\", \"fields\": [\r\n\"process.executable\" ] } }, { \"query_string\": { \"query\": \"/.*\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault\\\\.exe/\", \"fields\": [\r\n\"process.executable\" ] } }, { \"query_string\": { \"query\":\r\n\"/.*\\\\\\\\SolarWinds.Credentials\\\\\\\\SolarWinds\\\\.Credentials\\\\.Orion\\\\.WebApi\\\\.exe/\", \"fields\": [ \"process.executable\" ]\r\n} } ] }\r\n}\r\nSUNBURST Named Pipe Indicator\r\nSplunk\r\nindex=sysmon sourcetype=sysmon:xml (EventID=17 OR EventID=18) PipeName=\"583da945-62af-10e8-4902-\r\na8f205c72b2e\"\r\nhttps://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/\r\nPage 7 of 8\n\n| stats values(_time) as occurrences, values(EventID) as eventID, values(PipeName) as pipeName count by host\r\n| convert ctime(occurrences)\r\nElastic Lucene\r\nevent.code:(\"17\" or \"18\") and file.name:\"583da945-62af-10e8-4902-a8f205c72b2e\"\r\nElastic DSL\r\n{ \"bool\": { \"must\": [ { \"query_string\": { \"query\": \"17\", \"fields\": [ \"event.code\" ] } }, { \"query_string\": { \"query\":\r\n\"18\", \"fields\": [ \"event.code\" ] } }, { \"query_string\": { \"query\": \"583da945-62af-10e8-4902-a8f205c72b2e\", \"fields\": [\r\n\"file.name\" ] } } ] }\r\n}\r\nCyborg Security’s research and development team has built dozens of threat detection packages for the SUNBURST\r\nimplant and additional malicious behaviours described by FireEye. These packages come tailored to your unique\r\nenvironment and can be immediately downloaded and deployed. You can find these detections, in addition to all\r\nknown indicators of compromise (IOC), on the HUNTER platform.\r\n[hubspot type=cta portal=7924572 id=ae832f8f-83db-4b26-8f4d-f37f258623e2]\r\nSource: https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/\r\nhttps://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/" ], "report_names": [ "sunburst-solarwinds-supply-chain-attack" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434730, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0911d79019d73014240db5bcf5cda9767a8f311d.pdf", "text": "https://archive.orkl.eu/0911d79019d73014240db5bcf5cda9767a8f311d.txt", "img": "https://archive.orkl.eu/0911d79019d73014240db5bcf5cda9767a8f311d.jpg" } }