{
	"id": "749bb4f4-2b21-42de-bc14-4403423a181b",
	"created_at": "2026-04-06T00:09:06.380416Z",
	"updated_at": "2026-04-10T03:24:29.598945Z",
	"deleted_at": null,
	"sha1_hash": "46a236f20c70e7a3e753e24cb9269ee2c57e4c9b",
	"title": "SolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61834,
	"plain_text": "SolarWinds Attacks: Stealthy Attackers Attempted To Evade\r\nDetection\r\nBy About the Author\r\nArchived: 2026-04-05 20:22:58 UTC\r\nAs we continue our analysis on the tools used in the SolarWinds attacks, one of the most striking aspects we’ve\r\nnoticed is how careful the attackers were to avoid drawing attention to themselves. Software supply chain attacks\r\nare relatively stealthy to begin with, since signed software from a trusted source is less likely to raise red flags.\r\nHowever, the attackers weren’t content to rely on the cover this provided and also took several other steps to avoid\r\ndetection.\r\nTo begin with, the Sunburst backdoor (Backdoor.Sunburst), which was delivered using a Trojanized update to\r\nSolarWinds Orion, sets a delay time of up to 14 days before execution. In other words, no malicious activity will\r\nbegin until this period has elapsed.\r\nThe length of time selected is most likely to increase the likelihood that the log entries of the initial malicious\r\nactivity have been deleted before any subsequent post-breach activity is initiated, thereby making it difficult to\r\ncorrelate the two sets of malicious events. Many organizations, including even managed security services\r\nproviders (MSSPs), will often purge their security logs after seven days to minimize storage costs and make\r\nsearching them easier.\r\nSunburst will also check the current Windows domain the machine belongs to. If the domain contains the string\r\n'test' or one of 13 additional specific domains that appear related to lab systems such as “swdev.local” and\r\n“apac.lab”, the threat will cease to execute.  A full list is in Appendix A.\r\nAvoiding Security Software and Researchers\r\nAttacks begin with a Trojanized version of SolarWinds’ Orion software. The attackers modified Orion in order to\r\ndeliver the Sunburst backdoor to the computer. Sunburst is first stage malware, designed to perform\r\nreconnaissance on the infected computer, perform checks for security tools, and deliver a second stage payload, if\r\nrequired.\r\nThe main Sunburst code is contained in a class named SolarWindows.Orion.Core.BusinessLayer that, when first\r\ninstantiated, calls a member function called Update. The function name is a ruse, as the code does not perform any\r\nupdate, but instead is designed to disable security software, avoid security researcher systems, and possibly avoid\r\nrunning on systems not of interest to the attackers. The function contains three lists – a list of process names, a list\r\nof driver filenames, and a list of processes and service name pairs. These names are all obfuscated in the code by\r\nhashing them using the FNV1A algorithm and using variable names that masquerade as timestamps.\r\nThe function will:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection\r\nPage 1 of 4\n\nGet a list of running processes.\r\nCheck if the process names match items on the process list\r\nGet a list of all installed drivers\r\nCheck if the driver names match items on the drivers list\r\nIf a match is found, the malicious code does not perform further actions and returns\r\nThis process and driver list contains tools that commonly run on security researcher systems and thus, this\r\nfunctionality appears to be designed not to run on such systems in order to avoid discovery. The full list of\r\nsecurity tools can be found in Appendix A. Furthermore, the lists also contained names related to a variety of\r\nsecurity software programs including:\r\nSecurity software process names\r\nAVG/AVAST\r\nPanda\r\nKaspersky\r\nTanium\r\nDriver names\r\nCyberArk - cybkerneltracker.sys\r\nAltiris Symantec - atrsdfw.sys (Ghost Pre-installation boot environment driver)\r\nRaytheon Cyber Solutions - eaw.sys\r\nCJSC Returnil Software - rvsavd.sys\r\nVerasys Digital Guardian - dgdmk.sys\r\nSentinel One – sentinelmonitor.sys\r\nHexis Cyber Solutions - hexisfsmonitor.sys\r\nDell SecureWorks - groundling32.sys, groundling64.sys\r\nSAFE-Cyberdefense - safe-agent.sys\r\nCybereason – crexecprev.sys\r\nAbsolute - psepfilter.sys, cve.sys\r\nBromium - brfilter.sys, brcow_x_x_x_x.sys\r\nLogRhythm - lragentmf.sys\r\nOESIS OPSwat - libwamf.sys\r\nThe security vendors on this list have most likely been chosen as the attacker has determined that their products\r\nare unlikely be installed at organizations of interest to the attackers. Given the indiscriminate nature of supply\r\nchain as a vector, with an estimated 18,000 SolarWinds customers affected, the attackers probably wanted to avoid\r\nany risk of detection in organizations that weren’t of interest to them.\r\nInterestingly, the process solarwindsdiagnostics is also blacklisted. Presumably this is included to avoid detection\r\nduring any SolarWinds testing or troubleshooting.\r\nDisabling security software\r\nSunburst also attempts to specifically disable some software security services via the registry. This allows\r\nSunburst to perform its malicious actions completely undetected. If the attackers worked quickly and restored the\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection\r\nPage 2 of 4\n\nservices afterwards, a security administrator would potentially have no record of the activity, nor have even\r\nnoticed the temporary lack of protection.\r\nFigure 1. Example of how Sunburst disables security software. In this case it checks if the CrowdStrike processes\r\ncsfalconservice or csfalconcontainer are running, and if so, it sets the csagent, csfalconservice, and\r\ncsdevicecontrol services to be disabled.\r\nThis function will:\r\nGet a list of running processes\r\nCheck if the process names match items on the process/services name pair list\r\nDisable the security software by modifying its service registry entry\r\nAfter the software has been confirmed to be disabled, usually after a reboot, the malicious code will then\r\ncontact the command and control (C\u0026C) server and potentially perform further malicious actions\r\nTo disable the security software, Sunburst will simply set the products’ service start setting to Disabled. In\r\nWindows, this is done by setting the registry keys:\r\nHKLM\\ SYSTEM\\CurrentControlSet\\services\\\u003cservice name\u003e\\Start = 4\r\nThis will cause the security software not to load at the next reboot.\r\nIt should be noted that the attackers do not attempt to disable any Symantec products. Presumably this is because\r\nof an anti-tampering feature in Symantec software, which prevents its own service from being disabled.\r\nThe process and services pair list include software from the following vendors:\r\nCrowdStrike\r\nCarbon Black\r\nFireEye\r\nESET\r\nF-Secure\r\nInterestingly, the list also included Microsoft Defender, but only the service key permissions are changed. \r\nCurrently, this has an unknown effect. In addition, some other unknown products are also included, but were\r\neffectively commented out. The attackers may have discovered this technique was ineffective for these products.\r\nFinally, Sunburst will check if api.solarwinds.com resolves to a valid address before continuing.\r\nLow profile threat\r\nThe SolarWinds attacks are among the best-planned and adept attacks we have seen in recent years. The attackers\r\nhave gone to great lengths to both find an effective path into their targeted organizations and, once inside their\r\nnetworks, maintain a low profile. Our analysis of these tools is ongoing and we plan to publish further blogs in the\r\ncoming weeks.\r\nProtection/Mitigation\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection\r\nPage 3 of 4\n\nTools associated with these attacks will be detected and blocked on machines running Symantec Endpoint\r\nproducts.\r\nFile-based protection:\r\nBackdoor.Sunburst\r\nBackdoor.Sunburst!gen1\r\nBackdoor.SuperNova\r\nBackdoor.Teardrop\r\nNetwork-based protection:\r\nSystem Infected: Sunburst Malware Activity\r\nAppendix A\r\nDrivers Avoided\r\nSecurity Software Avoided\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detectio\r\nn\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection"
	],
	"report_names": [
		"solarwinds-attacks-stealthy-attackers-attempted-evade-detection"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434146,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/46a236f20c70e7a3e753e24cb9269ee2c57e4c9b.pdf",
		"text": "https://archive.orkl.eu/46a236f20c70e7a3e753e24cb9269ee2c57e4c9b.txt",
		"img": "https://archive.orkl.eu/46a236f20c70e7a3e753e24cb9269ee2c57e4c9b.jpg"
	}
}