{
	"id": "a42df00e-3a4d-42fb-bed4-0b5aa9f2d8bf",
	"created_at": "2026-04-06T00:16:48.739779Z",
	"updated_at": "2026-04-10T03:21:03.35431Z",
	"deleted_at": null,
	"sha1_hash": "25d5fb456611aee868a91feb33f866e6a2bc5c69",
	"title": "SolarWinds | Understanding \u0026 Detecting the SUPERNOVA Webshell Trojan - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2548971,
	"plain_text": "SolarWinds | Understanding \u0026 Detecting the SUPERNOVA\r\nWebshell Trojan - SentinelLabs\r\nBy Marco Figueroa\r\nPublished: 2020-12-23 · Archived: 2026-04-05 17:53:22 UTC\r\nBy Marco Figueroa, James Haughom and Jim Walter\r\nIntroduction\r\nThe recent SolarWinds’ Orion supply chain attack has proven to be one of the most layered and damaging\r\nattacks of 2020, consisting of multiple artifacts and sophisticated TTPs.\r\nSeveral distinct malware families have emerged in relation to the compromise. These include the\r\nSUNBURST backdoor, SUPERNOVA, COSMICGALE \u0026 TEARDROP.\r\nOrganizations protected by SentinelOne’s Singularity platform are fully protected against all of these new\r\nthreats.\r\nIn this post, we provide an analysis of the SUPERNOVA trojan, describing how the weaponized DLL payload\r\ndiffers from the legitimate version it supplanted. Further, we disclose some new Indicators of Compromise that\r\nmay, in addition to previously documented IoCs, help security teams to detect when the malicious webshell is\r\nactive.\r\nOverview of SolarWinds’ Malware Components\r\nThe sophisticated nature of the SolarWinds compromise has resulted in a flurry of new malware families, each\r\nwith different characteristics and behaviors.\r\nSUNBURST refers to a .NET backdoor (written in C#). This backdoor was distributed as part of a\r\ntrojanized MSI (Windows installer) patch and distributed via SolarWinds updating mechanisms.\r\nTEARDROP is a memory-resident implant used (primarily) to distribute the Cobalt Strike beacon payload.\r\nCOSMICGALE refers to certain malicious PowerShell scripts that are executed on compromised hosts.\r\nSUPERNOVA refers to a web shell implant used to distribute and execute additional code on exposed\r\nhosts.\r\nBelow, we focus on understanding and detecting the SUPERNOVA web shell implant.\r\nThe Trojanized App_Web_logoimagehandler DLL\r\nThe SUPERNOVA web shell implant is a trojanized copy of a legitimate DLL .NET library in the SolarWinds\r\nOrion web application. The purpose of the original DLL is to serve up a user-configured logo to web pages in the\r\nOrion web application.\r\nhttps://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan\r\nPage 1 of 10\n\nModifying the legitimate SolarWindows DLL for malicious use required just a few key changes, and upon\r\nanalysis appears deceptively ‘elegant’. Below, we illustrate some of the key differences between the legitimate\r\nSolarWinds DLL and the weaponized ‘SUPERNOVA’ DLL.\r\nThe attackers injected an additional method, DynamicRun(), into the legitimate SolarWinds’ LogoImageHandler\r\nclass from the App_Web_logoimagehandler.ashx.b6031896.dll , turning the benign DLL into a sophisticated\r\nwebshell.\r\nhttps://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan\r\nPage 2 of 10\n\nA legitimate instance of App_Web_logoimagehandler.ashx.b6031896.dll :\r\nhttps://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan\r\nPage 3 of 10\n\nA weaponized instance of App_Web_logoimagehandler.ashx.b6031896.dll :\r\nhttps://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan\r\nPage 4 of 10\n\nThe added DynamicRun() method is called by the ProcessRequest() method, which handles HTTP requests.\r\nThe attackers added a try/catch block to the beginning of this method’s source code to parse part of the HTTP\r\nrequest and redirect control flow to the attacker’s DynamicRun() method.\r\nThe legitimate ProcessRequest() method:\r\nAnd the weaponized ProcessRequest() with added try/catch block:\r\nhttps://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan\r\nPage 5 of 10\n\nThe additional code simply extracts data in the form of name-value from the Request property of an instance of\r\nthe HttpContext class. Once extracted, these four values will be passed to DynamicRun() to be executed, and\r\nthe method’s return value will be written back to the attacker as an HTTP response.\r\nThe DynamicRun() method is where the true functionality of the SUPERNOVA webshell resides. This method\r\naccepts a blob of C# source code, along with the class to instantiate, the method to invoke, and the method’s\r\narguments. These parameters will be used to compile and execute an in-memory .NET assembly sent by the\r\nattackers over HTTP.\r\nThe .NET CSharpCodeProvider class is the mechanism used to perform the in-memory compilation. As you can\r\nsee below, the GenerateInMemory parameter is set to true, meaning a physical assembly will not be written to\r\ndisk, allowing minimal forensic artifacts to be created. The last parameter passed to the in-memory compiler is the\r\nblob of C# source code supplied by the attacker’s HTTP request to be compiled.\r\nhttps://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan\r\nPage 6 of 10\n\nBreakdown of parameters:\r\nIf no errors arise during compilation, the malware instantiates the respective class, invokes the method passed as\r\nthe third argument to the function, and returns the results.\r\nThis functionality allows the attackers to compile and execute .NET payloads at will, all within the context of\r\nSolarWinds. This mechanism does not leverage any exploit, but simply abuses legitimate .NET functionality. This\r\nis powerful, as it allows the malware to execute robust compiled code on the fly, without dropping any additional\r\nfiles to the file system or running any obvious or noisy commands being sent over the wire.\r\nDetecting SUPERNOVA Webshell Activity\r\nDuring our research, we created a PoC, leveraging the same CSharpCodeProvider mechanism SUPERNOVA\r\nuses for in-memory compilation of .NET assemblies. We found that during the compilation process, the native\r\n.NET-related utilities CSC.exe and CVTRES.exe are spawned as child processes of the calling process.\r\nPassed as arguments to CSC and CVTRES are paths to randomly named temporary files that are used by these\r\nutilities during the compilation process.\r\nProcess tree:\r\nhttps://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan\r\nPage 7 of 10\n\nProcess tree with command lines:\r\n- \"C:UsersREMDesktoptest_compiler.exe\"\r\n----- \"C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe\" /noconfig /fullpaths @\"C:UsersREMAppDataLo\r\n-------------\"C:WindowsMicrosoft.NETFramework64v4.0.30319cvtres.exe /NOLOGO /READONLY /MACHINE:IX86\r\nThe syntax of these command lines are as follows.\r\nCSC:\r\n\"C:WindowsMicrosoft.NETFramework64\u003cversion\u003ecsc.exe\" /noconfig /fullpaths @\"C:Users\u003cuser\u003eAppDataLocalT\r\nCVTRES:\r\n\"C:WindowsMicrosoft.NETFramework64\u003cversion\u003ecvtres.exe /NOLOGO /READONLY /MACHINE:IX86 \"/OUT:C:Users\u003cu\r\nThis process tree can provide valuable insight into when the SUPERNOVA webshell is potentially active and\r\nreceiving commands from C2. This behavior may precede additional attacker activity on the box, such as lateral\r\nmovement, spawned processes, or dropped files.\r\nConclusion\r\nMany organizations are currently working hard to understand and quantify their risks and exposure to the issues\r\narising from the SolarWinds supply chain attack. While the analysis of the SolarWinds breach (and related\r\noffshoot attacks) are ongoing, it is already safe to say that this could be considered one of the more organized and\r\nsophisticated campaigns of 2020.\r\nGiven the scope of this campaign, there are a few helpful things to keep in mind.\r\nWhile SolarWinds estimates ~18000 installs of the malicious update, that does not mean all those same\r\norganizations have been fully breached. Current intelligence suggests over 140 full-blown ‘victims’.\r\nThe main C2 infrastructure has been seized and subsequently sinkholed by Microsoft and other industry\r\npartners. This is now being used as a ‘kill switch’ for the existing malware.\r\nSolarWinds released a patch/update on December 15th. Orion Platform Platform v2020.2.1 HF2 has been\r\nmade available for all customers running vulnerable versions of SolarWinds Orion. For Platform v2019\r\ncustomers, Orion Platform v2019.4 HF 6 is available. In addition, SolarWinds has taken measures to\r\nensure that all malicious files have been removed from their servers.\r\nAt SentinelLabs, we continue our analysis and to update all pertinent resources as new information comes to light.\r\nWe encourage all to review existing resources for ongoing updates and information. The SentinelOne Singularity\r\nPlatform protects and prevents malicious behaviors associated with all attacks related to the SolarWinds breach.\r\nhttps://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan\r\nPage 8 of 10\n\nFurther Resources\r\nSolarWinds SUNBURST Backdoor: Inside the APT Campaign\r\nFireEye/SolarWinds: Taking Action and Staying Protected\r\nSentinelOne’s free tool to determine if your devices are vulnerable to SUNBURST\r\nIndicators of Compromise\r\nSUPERNOVA Hashes:\r\nSHA256\r\nC15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71\r\nSHA1\r\n75af292f34789a1c782ea36c7127bf6106f595e8\r\nMD5\r\n56ceb6d0011d87b6e4d7023d7ef85676\r\nYARA Rule for SUPERNOVA\r\nimport \"pe\"\r\nrule SentinelLabs_SUPERNOVA\r\n{\r\nmeta:\r\ndescription = \"Identifies potential versions of App_Web_logoimagehandler.ashx.b603189\r\ndate = \"2020-12-22\"\r\nauthor = \"SentinelLabs\"\r\nstrings:\r\n$ = \"clazz\"\r\n$ = \"codes\"\r\n$ = \"args\"\r\n$ = \"ProcessRequest\"\r\n$ = \"DynamicRun\"\r\n$ = \"get_IsReusable\"\r\n$ = \"logoimagehandler.ashx\" wide\r\n$ = \"SiteNoclogoImage\" wide\r\n$ = \"SitelogoImage\" wide\r\ncondition:\r\n(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and pe.imports(\"mscoree.d\r\n}\r\nSUPERNOVA MITRE ATT\u0026CK TTPs\r\nInput Capture: Credential API Hooking – T1056\r\nSubvert Trust Controls: Code Signing – T1553\r\nhttps://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan\r\nPage 9 of 10\n\nSupply Chain Compromise – T1195\r\nExfiltration – TA0010\r\nApplication Layer Protocol – T1071\r\nDynamic Resolution: Domain Generation Algorithms – T1568.002\r\nIndicator Removal On Host – T1070\r\nMasquerading – T1036\r\nObfuscated Files or Information – T1027\r\nProcess Discovery – T1057\r\nCreate or Modify System Process: Windows Service – T1543.003\r\nRemote Services – T1021\r\nSystem Services: Service Execution – T1568.002\r\nValid Accounts – T1078\r\nSource: https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan\r\nhttps://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan"
	],
	"report_names": [
		"solarwinds-understanding-detecting-the-supernova-webshell-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434608,
	"ts_updated_at": 1775791263,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/25d5fb456611aee868a91feb33f866e6a2bc5c69.pdf",
		"text": "https://archive.orkl.eu/25d5fb456611aee868a91feb33f866e6a2bc5c69.txt",
		"img": "https://archive.orkl.eu/25d5fb456611aee868a91feb33f866e6a2bc5c69.jpg"
	}
}