{ "id": "4cfc179e-9ab8-4d40-b39b-fed742cd4345", "created_at": "2026-04-06T00:15:49.514879Z", "updated_at": "2026-04-10T03:37:32.595986Z", "deleted_at": null, "sha1_hash": "37cd5ee09b776b6f0045ad7816b66ce92305c4e6", "title": "Threat Brief: SolarStorm and SUNBURST Customer Coverage", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 94581, "plain_text": "Threat Brief: SolarStorm and SUNBURST Customer Coverage\r\nBy Unit 42\r\nPublished: 2020-12-15 · Archived: 2026-04-05 13:27:54 UTC\r\nExecutive Summary\r\nOn Sunday, Dec. 13, FireEye released information related to a breach and data exfiltration originating from an unknown\r\nactor FireEye is calling UNC2452. Unit 42 tracks this and related activity as the group named SolarStorm, and has\r\npublished an ATOM containing the observed techniques, IOCs and relevant courses of action in the Unit 42 ATOM Viewer.\r\nAccording to FireEye, SolarStorm has compromised organizations across the globe via a supply chain attack that consists of\r\na trojanized update file for the SolarWinds Orion Platform.\r\nFireEye’s blog, “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims\r\nwith SUNBURST Backdoor,” contains a wealth of useful information, all of which has been analyzed by Unit 42\r\nresearchers to help ensure Palo Alto Networks customers are protected.\r\nAny organization utilizing SolarWinds Orion IT management software is potentially at risk from this threat. These\r\norganizations should immediately identify Orion systems in their network, determine if they are compromised with the\r\nSUNBURST backdoor and seek out further evidence of compromise. Instructions on how to perform these tasks using the\r\nPalo Alto Networks Next Generation Firewall, Cortex XDR and XSOAR are available in this report, as well as additional\r\nresources and indicators of compromise (IOCs). Palo Alto Networks has also launched SolarStorm Rapid Response\r\nPrograms. \r\nThe details of this attack and its impact continue to evolve. We will update this report with new details as they become\r\navailable.\r\nWhat’s Known About SolarStorm and SUNBURST\r\nSolarStorm specifically targeted supply chains during their attack on SolarWinds’ Orion IT performance and\r\nstatistics monitoring software.\r\nSolarStorm is a highly skilled threat actor, with a significant operational security mindset, as can be observed in its\r\npost-exploitation activity.\r\nSolarWinds recently filed an SEC report indicating that, while they have over 300,000 customers, fewer than 18,000\r\ncustomers were running the trojanized version of the Orion software.\r\nSolarStorm threat actors created a legitimate digitally signed backdoor, SUNBURST, as a trojanized version of a\r\nSolarWinds Orion plug-in. The trojanized software acts as a powerful supply chain infiltration mechanism for\r\ndelivery.\r\nSUNBURST has been observed delivering multiple payloads, mostly focused on memory-only droppers, such as the\r\nFireEye-dubbed TEARDROP and Cobalt Strike BEACON.\r\nSUNBURST’s command and control (C2) traffic masquerades as legitimate Orion Improvement Program traffic.\r\nFireEye has released signatures and specific indicators to help identify SolarStorm’s activity.\r\nFireEye’s research has been a cornerstone in providing not only useful signatures, but also indicators which help with\r\ntracking and hunting for SolarStorm activity. A synopsis of those indicators is included below.\r\nhttps://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/\r\nPage 1 of 5\n\nSUNBURST\r\nAt the time of this publication, the Windows Installer Patch file including the trojanized version of the SolarWinds Orion\r\nproduct was still reachable:\r\nFilename: SolarWinds-Core-v2019.4.5220-Hotfix5.msp\r\nSHA256: d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600\r\nThis installer contains:\r\nLegitimate SolarWinds Orion update components.\r\nA digitally signed SUNBURST backdoor, and its legitimate configuration file:\r\nSHA256: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77\r\nFilename: SolarWinds.Orion.Core.BusinessLayer.dll\r\nCertificate SN: 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed\r\nSHA256: efbec6863f4330dbb702cc43a85a0a7c29d79fde0f7d66eac9a3be43493cab4f\r\nFilename: SolarWinds.Orion.Core.BusinessLayer.dll.config\r\nThe infrastructure related to this series of attacks includes:\r\nTrojanized update file hosted at:\r\nhxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp\r\nDGA-generated C2s as subdomains of:\r\navsvmcloud[.]com\r\nC2 domains found during SUNBURST incidents, including CNAME records, or subsequent phases of the incident,\r\nsuch as BEACON components:\r\nfreescanonline[.]com\r\ndeftsecurity[.]com\r\nthedoccloud[.]com\r\nwebsitetheme[.]com\r\nhighdatabase[.]com\r\nincomeupdate[.]com\r\ndatabasegalore[.]com\r\npanhardware[.]com\r\nZupertech[.]com\r\nVirtualdataserver[.]com\r\ndigitalcollege[.]org\r\nsolartrackingsystem[.]net\r\nwebcodez[.]com\r\nseobundlekit[.]com\r\nvirtualwebdata[.]com\r\nlcomputers[.]com\r\navsvmcloud[.]com\r\nMobilnweb[.]com\r\nkubecloud[.]com\r\nTEARDROP\r\nhttps://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/\r\nPage 2 of 5\n\nSUNBURST deployed several different payloads, and in at least one instance, a memory-only dropper FireEye dubbed\r\nTEARDROP to deploy a Cobalt Strike BEACON. During analysis of the information available, Unit 42 identified related\r\nactivity involving TEARDROP malware that was used to execute a customized Cobalt Strike BEACON. This sample\r\ncontains a beacon request to the previously unreported domain mobilnweb[.]com.\r\nThe TEARDROP DLL has a SHA256 of: 118189f90da3788362fe85eafa555298423e21ec37f147f3bf88c61d4cd46c51\r\nand contains a beacon request for the URI /2019/Person-With-Parnters-Brands-Our/ with the User-Agent Mozilla/5.0\r\n(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36. Within\r\nthat same configuration, we also observed an additional URI setting containing the string /2019/This-Person-Two-Join-With/.\r\nProtecting Our Customers\r\nAs of the time of writing, based on signatures and observables that have been released, Palo Alto Networks customers are\r\nprotected across our product ecosystem, with specific protections deployed or being deployed in the following products and\r\nsubscriptions for the Next-Generation Firewall (NGFW). It is imperative for customers to employ the best practices for Palo\r\nAlto Networks products in order to ensure your appliances are configured in a manner best suited for your protection.\r\nDue to the nature of these attacks, we recommend our customers perform the following searches immediately. If you are\r\nunable, Palo Alto Networks will help you locate SolarWinds Orion servers owned by your organization and assess whether\r\nyou’ve been compromised free of charge. After we’ve completed our analysis, we’ll provide you with a SolarStorm\r\nAssessment Report brought to you by Expanse and Crypsis.\r\nCortex XDR\r\nCortex XDR customers are protected using the product’s WildFire integration, as well as through Local Analysis, the\r\nPassword Theft Protection module and the Behavioral Threat Protection (BTP) engine. Protections are continually being\r\nevaluated, developed and deployed for Cortex XDR.\r\nCortex XDR Managed Threat Hunting\r\nOur Cortex XDR Managed Threat Hunting Team (MTH) has proactively searched all Cortex XDR Pro customer logs to\r\nidentify potentially impacted organizations and provide them an assessment of their risk. Leverage the power of automation\r\nwith Cortex XSOAR to speed up the discovery of SolarWind installations within your network, uncover signs of potential\r\nSolarStorm activity and automate response actions such as the quarantining of compromised endpoints.   \r\nWildFire (NGFW security subscription)\r\nCustomers using WildFire are protected from downloading known SUNBURST backdoor files and Cobalt Strike BEACON\r\nfiles associated with SolarStorm.\r\nGap analysis and threat hunting leveraging the FireEye-provided Yara signatures and observables has enabled Unit 42\r\nresearchers to identify potential malware samples. We continue to seek out new malware associated with SolarStorm, build\r\nand deploy protections for them within WildFire.\r\nAutoFocus\r\nhttps://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/\r\nPage 3 of 5\n\nAutoFocus customers can track SolarStorm’s activity in the tags SolarStorm, SUPERNOVA, TEARDROP and\r\nSUNBURST.\r\nIoT Security (NGFW security subscriptions)\r\nThe IoT Security subscription has the capability of identifying SolarWinds servers. These devices are being added to the\r\nIoT Security user portal UI, and the Device-ID attribute will be pushed to PAN-OS. These devices will be displayed to users\r\nas \"SolarWinds Network Management Device\" within the IoT Security user portal UI. In PAN-OS, users will see the\r\nDevice-ID attribute \"Profile\" = \"SolarWinds Network Management Device\". This feature will be enabled for all IoT\r\nSecurity customers this week.\r\nThreat Prevention DNS Security (NGFW security subscriptions)\r\nThreat Prevention and DNS Security provide protection against C2 beacons and associated traffic. Protections are\r\ncontinually being evaluated, developed and deployed for Threat Prevention subscription.\r\nThe following threat prevention signatures have been added with Content version 8354:\r\nSnort Rule PANW UTID\r\nBackdoor.BEACON_5.snort 86237\r\nBackdoor.BEACON_6.snort 86238\r\nBackdoor.SUNBURST_11.snort 86239\r\nBackdoor.SUNBURST_14.snort 86240\r\nBackdoor.BEACON_7.snort 86242\r\nBackdoor.SUNBURST_12.snort 86243\r\nBackdoor.BEACON_8.snort 86244\r\nBackdoor.SUNBURST_13.snort 86245\r\nBackdoor.SUNBURST_1.snort 86246\r\nBackdoor.SUNBURST_10.snort 86247\r\nBackdoor.BEACON_2.snort 86248\r\nBackdoor.BEACON.snort 86249\r\nBackdoor.BEACON_0.snort 86250\r\nBackdoor.BEACON_1.snort 86251\r\nTable 1: Snort to PANW UTID\r\nURL Filtering (NGFW security subscription)\r\nAs of the time of writing, associated infrastructure described in this blog have accurate verdicts of malware.\r\nhttps://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/\r\nPage 4 of 5\n\nContinue Reading: SolarStorm Response With Next-Generation Firewall\r\nBack to Top\r\nSource: https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/\r\nhttps://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/" ], "report_names": [ "fireeye-solarstorm-sunburst" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434549, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/37cd5ee09b776b6f0045ad7816b66ce92305c4e6.pdf", "text": "https://archive.orkl.eu/37cd5ee09b776b6f0045ad7816b66ce92305c4e6.txt", "img": "https://archive.orkl.eu/37cd5ee09b776b6f0045ad7816b66ce92305c4e6.jpg" } }