{
	"id": "3736e9c0-d477-4ce4-8602-dba487084f99",
	"created_at": "2026-04-06T00:14:11.271005Z",
	"updated_at": "2026-04-10T13:11:46.558681Z",
	"deleted_at": null,
	"sha1_hash": "4ba97336916ee24214b540dde87fbc632e3e6b1e",
	"title": "Raindrop: New Malware Discovered in SolarWinds Investigation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 91908,
	"plain_text": "Raindrop: New Malware Discovered in SolarWinds Investigation\r\nBy About the Author\r\nArchived: 2026-04-02 10:57:54 UTC\r\nSymantec, a division of Broadcom (NASDAQ: AVGO), has uncovered an additional piece of malware used in the\r\nSolarWinds attacks which was used against a select number of victims that were of interest to the attackers.\r\nRaindrop (Backdoor.Raindrop) is a loader which delivers a payload of Cobalt Strike. Raindrop is very similar to the\r\nalready documented Teardrop tool, but there are some key differences between the two. While Teardrop was delivered by\r\nthe initial Sunburst backdoor (Backdoor.Sunburst), Raindrop appears to have been used for spreading across the victim’s\r\nnetwork. Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears\r\nelsewhere on networks where at least one computer has already been compromised by Sunburst.\r\nRaindrop attacks\r\nIn one victim, in early July 2020, Sunburst was installed through the SolarWinds Orion update, as has been well\r\ndocumented. Two computers were compromised.\r\nThe following day, Teardrop was subsequently installed on one of these computers. That computer was found to have an\r\nactive directory query tool, as well as a credential dumper designed specifically for SolarWinds Orion databases. The\r\ncredential dumper was similar to, but not the same as, the open source Solarflare tool.\r\nEleven days later, on a third victim computer in the organization, where no previous malicious activity had been\r\nobserved, a copy of the previously unseen Raindrop was installed under the name bproxy.dll. This computer was running\r\ncomputer access and management software. The attackers could have used this software to access any of the computers in\r\nthe compromised organization.\r\nOne hour later, the Raindrop malware installed an additional file called \"7z.dll\". We were unable to retrieve this file,\r\nhowever, within hours a legitimate version of 7zip was used to extract a copy of what appeared to be Directory Services\r\nInternals (DSInternals) onto the computer. DSInternals is a legitimate tool which can be used for querying Active\r\nDirectory servers and retrieving data, typically passwords, keys, or password hashes.\r\nAn additional tool called mc_store.exe was later installed by the attackers on this computer. The tool is an unknown\r\nPyInstaller packaged application. No further activity was observed on this computer.\r\nFigure 1. Example of Raindrop victim timeline\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware\r\nPage 1 of 6\n\nIn a second victim where the Raindrop loader was seen, it was installed in a file called astdrvx64.dll in late May. Several\r\ndays later, in early June, PowerShell commands were executed on that computer, attempting to execute further instances\r\nof Raindrop on additional computers in the organization.\r\n\"Invoke-Command -ComputerName REDACTED -ScriptBlock { rundll32\r\nc:\\Packages\\Plugins\\Microsoft.Powershell.DSC\\2.77.0.0\\bin\\TelemetryStatus.dll Tk_CreateItemType}\"\r\n\"Invoke-WMIMethod win32_process -name create -argumentlist 'rundll32\r\nc:\\windows\\Speech_OneCore\\Engines\\TTS\\en-US\\enUS.Media.dll TkChangeEventWindow' -ComputerName\r\nREDACTED\"\r\nIn a third victim, where Raindrop was seen, the instance of Cobalt Strike that was extracted did not have a HTTP-based\r\ncommand and control server, but was rather configured to use a network pipe over SMB\r\n(\\\\.\\pipe\\protected_storage[REDACTED]). It's possible that in this instance, the victim computer did not have direct\r\naccess to the internet, and so command and control was routed through another computer on the local network.\r\nRaindrop technical analysis\r\nRaindrop is similar to Teardrop in that both pieces of malware act as a loader for Cobalt Strike Beacon. Raindrop uses a\r\ncustom packer to pack Cobalt Strike. This packer is different to the one used by Teardrop.\r\nRaindrop is compiled as a DLL, which is built from a modified version of 7-Zip source code. The 7-Zip code is not\r\nutilized and is designed to hide malicious functionality added by the attackers. The DLL is compiled where the Name file\r\nof the Export Directory Table is “\"7-zip.dll\" and the Export Names are:\r\nDllCanUnloadNow\r\nDllGetClassObject\r\nDllRegisterServer\r\nDllUnregisterServer\r\nAnd one of the following, selected at random:\r\nTk_DistanceToTextLayout\r\nTk_GetScrollInfoObj\r\nTk_MainLoop\r\nXGetGeometry\r\nThe Export Names used seem to overlap with names used by Tcl/Tk projects (see here and here).\r\nCustom packer\r\nWhenever the DLL is loaded, it starts a new thread from the DllMain subroutine that executes the malicious code. This\r\nmalicious thread performs the following actions:\r\nExecutes some computation to delay execution. This does not affect functionality.\r\nLocates start of the encoded payload which is embedded within legitimate 7-Zip machine code.\r\nIn order to locate the start of the encoded payload, the packer uses steganography by scanning the bytes starting from the\r\nbeginning of the subroutine and skipping any bytes until the first occurrence of the following bytes that represent\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware\r\nPage 2 of 6\n\noperation codes (opcodes) of interest:\r\n.data:0000000180053008 opcodes         db 5, 0Dh, 15h, 1Dh, 25h, 2Dh, 35h, 3Dh, 0B8h\r\nThe malware will then perform the following actions:\r\nExtract the encoded payload. This involves simply copying data from pre-determined locations that happen to\r\ncorrespond to immediate values of the relevant machine instructions.\r\nDecrypt the extracted payload. This uses the AES algorithm in CBC mode.\r\nDecompress the decrypted payload. This uses the LZMA algorithm.\r\nDecrypt the decompressed payload. This is simple XOR with byte key and as such does not impact compression\r\nratio.\r\nExecute the decrypted payload as shellcode.\r\nRaindrop and Teardrop comparison\r\nAlthough Raindrop is very similar to Teardrop, there are some key differences between the tools. As mentioned\r\npreviously, Raindrop uses a different packer. The packers differ in the following ways:\r\nTEARDROP RAINDROP\r\nPAYLOAD\r\nFORMAT\r\nCustom, reusing features from PE format. It may\r\nbe possible to reuse the packer with a range of\r\ndifferent payloads supplied as PE DLLs with\r\nautomatic conversion.\r\nShellcode only.\r\nPAYLOAD\r\nEMBEDDING\r\nBinary blob in data section.\r\nSteganography, stored at pre-determined locations within the\r\nmachine code.\r\nPAYLOAD\r\nENCRYPTION\r\nvisualDecrypt combined with XOR using long\r\nkey.\r\nAES layer before decompression;\r\nseparate XOR layer using one byte\r\nkey after decompression.\r\nPAYLOAD\r\nCOMPRESSION\r\nNone. LZMA.\r\nOBFUSCATION\r\nReading JPEG file. Inserted blocks of junk code,\r\nsome could be generated using a polymorphic\r\nengine.\r\nNon-functional code to delay\r\nexecution.\r\nEXPORT NAMES\r\nExport names vary, in some cases names\r\noverlapping with Tcl/Tk projects.\r\nExport names overlap with Tcl/Tk\r\nprojects.\r\nSTOLEN CODE\r\nByte-copy of machine code from pre-existing\r\nthird-party components. The original code is\r\ndistributed in compiled format only.\r\nRecompiled third-party source\r\ncode.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware\r\nPage 3 of 6\n\nWhile both malware families are designed to deploy Cobalt Strike Beacon, there are differences in Cobalt Strike\r\nconfiguration. To date, Symantec has seen four samples of Raindrop. In three cases, Cobalt Strike was configured to use\r\nHTTPS as a communication protocol. In the fourth it was configured to use SMB Named Pipe as a communication\r\nprotocol.\r\nAll three Raindrop samples using HTTPS communication follow very similar configuration patterns as previously seen in\r\none Teardrop sample (b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07).\r\nThe most important similarities are highlighted below.\r\nTEARDROP\r\nSHA256 b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07\r\nURLs https(://)infinitysoftwares(.)com/files/information_055.pdf\r\nhttps(://)infinitysoftwares(.)com/wp-admin/new_file.php\r\nPOST FORM name=\"uploaded_1\";filename=\"33139.pdf\" Content-Type: text/plain\r\nRAINDROP\r\nSHA256 be9dbbec6937dfe0a652c0603d4972ba354e83c06b8397d6555fd1847da36725\r\nURLs https(://)bigtopweb(.)com/files/page_306.pdf\r\nhttps(://)bigtopweb(.)com/wp-admin/admin-ajax.php\r\nPOST FORM name=\"uploaded_1\";filename=\"84921.pdf\" Content-Type: text/plain\r\nRAINDROP\r\nSHA256 f2d38a29f6727f4ade62d88d8a68de0d52a0695930b8c92437a2f9e4de92e418\r\nURLs https(://)panhardware(.)com/files/documentation_076.pdf\r\nhttps(://)panhardware(.)com/wp-admin/new_file.php\r\nPOST FORM name=\"uploaded_1\";filename=\"18824.pdf\" Content-Type: text/plain\r\nAll of the aforementioned domains use a common Registrar, NameSilo, LLC and, except for panhardware[.]com, which is\r\ncurrently sinkholed, have common name servers:\r\nns1.dnsowl.com\r\nns2.dnsowl.com\r\nns3.dnsowl.com\r\nClearer picture\r\nThe discovery of Raindrop is a significant step in our investigation of the SolarWinds attacks as it provides further\r\ninsights into post-compromise activity at organizations of interest to the attackers. While Teardrop was used on computers\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware\r\nPage 4 of 6\n\nthat had been infected by the original Sunburst Trojan, Raindrop appeared elsewhere on the network, being used by the\r\nattackers to move laterally and deploy payloads on other computers.\r\nProtection/Mitigation\r\nTools associated with these attacks will be detected and blocked on machines running Symantec Endpoint products.\r\nFile-based protection:\r\nBackdoor.Raindrop\r\nBackdoor.Teardrop\r\nBackdoor.Sunburst\r\nBackdoor.Sunburst!gen1\r\nBackdoor.SuperNova\r\nNetwork-based protection:\r\nSystem Infected: Sunburst Malware Activity\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nYara Rules\r\nrule RaindropPacker { meta: copyright = \"Symantec\" family = \"Raindrop\" strings: $code = { 41 8B 4F 20 //\r\nmov ecx, [r15+20h] 49 8D 77 24 // lea rsi, [r15+24h] 89 8D ?? ?? 00 00 // mov dword ptr [rbp+0A0h+arg_0],\r\necx E8 ?? ?? ?? ?? // call sub_180010270 33 D2 // xor edx, edx 48 8D 4C 24 ?? // lea rcx, [rsp+1A0h+var_160]\r\n44 8D 42 10 // lea r8d, [rdx+10h] E8 ?? ?? ?? ?? // call sub_180038610 48 8D 5C 24 ?? // lea rbx,\r\n[rsp+1A0h+var_150] F7 DB // neg ebx 48 8D 7C 24 ?? // lea rdi, [rsp+1A0h+var_150] 48 C1 EB 02 // shr rbx, 2\r\n48 8D 54 24 ?? // lea rdx, [rsp+1A0h+var_160] 83 E3 03 // and ebx, 3 48 8D 3C 9F // lea rdi, [rdi+rbx*4] 48\r\n8B CF // mov rcx, rdi E8 ?? ?? ?? ?? // call sub_1800101D0 48 8D 4C 24 ?? // lea rcx, [rsp+1A0h+var_140] 49\r\n8B D7 // mov rdx, r15 48 8D 0C 99 // lea rcx, [rcx+rbx*4] BB 20 00 00 00 // mov ebx, 20h 44 8B C3 // mov\r\nr8d, ebx E8 ?? ?? ?? ?? // call sub_180010ED0 44 8B 85 ?? ?? 00 00 // mov r8d, dword ptr [rbp+0A0h+arg_0] 48\r\n8B D6 // mov rdx, rsi ; _QWORD 49 C1 E8 04 // shr r8, 4 ; _QWORD 48 8B CF // mov rcx, rdi ; _QWORD FF 15 ??\r\n?? ?? ?? // call cs:qword_180056E90 8B 95 ?? ?? 00 00 // mov edx, dword ptr [rbp+0A0h+arg_0] 4C 8D 85 ?? ??\r\n00 00 // lea r8, [rbp+0A0h+dwSize] 48 83 A5 ?? ?? 00 00 00 // and [rbp+0A0h+dwSize], 0 48 8B CE // mov rcx,\r\nrsi E8 ?? ?? ?? ?? // call sub_180009630 48 8B 95 ?? ?? 00 00 // mov rdx, [rbp+0A0h+dwSize] ; dwSize 44 8B\r\nCB // mov r9d, ebx ; flProtect 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType 33 C9 // xor ecx, ecx\r\n; lpAddress FF 15 ?? ?? ?? ?? // call cs:VirtualAlloc 48 8B 95 ?? ?? 00 00 // mov rdx, [rbp+0A0h+dwSize] ;\r\ndwSize 4C 8D 8D ?? ?? 00 00 // lea r9, [rbp+0A0h+flOldProtect] ; lpflOldProtect 48 8B C8 // mov rcx, rax ;\r\nlpAddress 41 B8 04 00 00 00 // mov r8d, 4 ; flNewProtect 48 8B D8 // mov rbx, rax FF 15 ?? ?? ?? ?? // call\r\ncs:VirtualProtect 4C 8D 8D ?? ?? 00 00 // lea r9, [rbp+0A0h+arg_0] 4C 8B C6 // mov r8, rsi 48 8D 95 ?? ?? 00\r\n00 // lea rdx, [rbp+0A0h+dwSize] 48 8B CB // mov rcx, rbx E8 ?? ?? ?? ?? // call sub_1800095A0 4D 8B C6 //\r\nmov r8, r14 33 D2 // xor edx, edx 49 8B CF // mov rcx, r15 E8 ?? ?? ?? ?? // call sub_180038610 33 D2 // xor\r\nedx, edx ; dwSize 41 B8 00 80 00 00 // mov r8d, 8000h ; dwFreeType 49 8B CF // mov rcx, r15 ; lpAddress FF\r\n15 ?? ?? ?? ?? // call cs:VirtualFree 48 8B 95 ?? ?? 00 00 // mov rdx, [rbp+0A0h+dwSize] 48 85 D2 // test\r\nrdx, rdx 74 1B // jz short l_1 48 8B CB // mov rcx, rbx 80 31 ?? // l_0: xor byte ptr [rcx], 39h 48 FF C1 //\r\ninc rcx 48 8B 95 ?? ?? 00 00 // mov rdx, [rbp+0A0h+dwSize] ; dwSize 48 8B C1 // mov rax, rcx 48 2B C3 // sub\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware\r\nPage 5 of 6\n\nrax, rbx 48 3B C2 // cmp rax, rdx 72 E8 // jb short l_0 44 8B 85 ?? ?? 00 00 // l_1: mov r8d,\r\n[rbp+0A0h+flOldProtect] ; flNewProtect 4C 8D 8D ?? ?? 00 00 // lea r9, [rbp+0A0h+flOldProtect] ;\r\nlpflOldProtect 48 8B CB // mov rcx, rbx ; lpAddress FF 15 ?? ?? ?? ?? // call cs:VirtualProtect FF D3 //\r\ncall rbx } condition: all of them }\r\nThe Yara rules are also available for download on GitHub.\r\nIndicators of Compromise\r\nSHA256 DESCRIPTION\r\nf2d38a29f6727f4ade62d88d8a68de0d52a0695930b8c92437a2f9e4de92e418 astdrvx64.dll \u0026 sddc.dll (Raindrop)\r\nbe9dbbec6937dfe0a652c0603d4972ba354e83c06b8397d6555fd1847da36725 bproxy.dll (Raindrop)\r\n955609cf0b4ea38b409d523a0f675d8404fee55c458ad079b4031e02433fdbf3 cbs.dll (Raindrop)\r\nN/A\r\nTelemetry.Settings.dll (Likely\r\nRaindrop)\r\nN/A enUS.Media.dll (Likely Raindrop)\r\nN/A TelemetryStatus.dll (Likely Raindrop)\r\n240ef5b8392b8c7a5a025c36a7e5b0e03e5bb0d0d1a28703bb22e6159a4fd10e mc_store.exe (Unknown)\r\nf2d38a29f6727f4ade62d88d8a68de0d52a0695930b8c92437a2f9e4de92e418 panhardware[.]com\r\n955609cf0b4ea38b409d523a0f675d8404fee55c458ad079b4031e02433fdbf3 \\\\.\\pipe\\protected_storage[REDACTED]\r\nbe9dbbec6937dfe0a652c0603d4972ba354e83c06b8397d6555fd1847da36725 bigtopweb[.]com\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware\r\nPage 6 of 6\n\nYara Rules rule RaindropPacker { meta: copyright = \"Symantec\" family = \"Raindrop\" strings: $code = { 41 8B 4F 20 //\nmov ecx, [r15+20h] 49 8D 77 24 // lea rsi, [r15+24h] 89 8D ?? ?? 00 00 // mov dword ptr [rbp+0A0h+arg_0], \necx E8 ?? ?? ?? ?? // call sub_180010270 33 D2 // xor edx, edx 48 8D 4C 24 ?? // lea rcx, [rsp+1A0h+var_160] \n44 8D 42 10 // lea r8d, [rdx+10h] E8 ?? ?? ?? ?? // call sub_180038610 48 8D 5C 24 ?? // lea rbx, \n[rsp+1A0h+var_150] F7 DB // neg ebx 48 8D 7C 24 ?? // lea rdi, [rsp+1A0h+var_150] 48 C1 EB 02 // shr rbx, 2\n48 8D 54 24 ?? // lea rdx, [rsp+1A0h+var_160] 83 E3 03 // and ebx, 3 48 8D 3C 9F // lea rdi, [rdi+rbx*4] 48\n8B CF // mov rcx, rdi E8 ?? ?? ?? ?? // call sub_1800101D0 48 8D 4C 24 ?? // lea rcx, [rsp+1A0h+var_140] 49\n8B D7 // mov rdx, r15 48 8D 0C 99 // lea rcx, [rcx+rbx*4] BB 20 00 00 00 // mov ebx, 20h 44 8B C3 // mov\nr8d, ebx E8 ?? ?? ?? ?? // call sub_180010ED0 44 8B 85 ?? ?? 00 00 // mov r8d, dword ptr [rbp+0A0h+arg_0] 48\n8B D6 // mov rdx, rsi ; _QWORD 49 C1 E8 04 // shr r8, 4 ; _QWORD 48 8B CF // mov rcx, rdi ; _QWORD FF 15 ??\n?? ?? ?? // call cs:qword_180056E90 8B 95 ?? ?? 00 00 // mov edx, dword ptr [rbp+0A0h+arg_0] 4C 8D 85 ?? ??\n00 00 // lea r8, [rbp+0A0h+dwSize] 48 83 A5 ?? ?? 00 00 00 // and [rbp+0A0h+dwSize], 0 48 8B CE // mov rcx,\nrsi E8 ?? ?? ?? ?? // call sub_180009630 48 8B 95 ?? ?? 00 00 // mov rdx, [rbp+0A0h+dwSize] ; dwSize 44 8B\nCB // mov r9d, ebx ; flProtect 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType  33 C9 // xor ecx, ecx\n; lpAddress FF 15 ?? ?? ?? ?? // call cs:VirtualAlloc  48 8B 95 ?? ?? 00 00 // mov rdx, [rbp+0A0h+dwSize] ;\ndwSize 4C 8D 8D ?? ?? 00 00 // lea r9, [rbp+0A0h+flOldProtect] ; lpflOldProtect 48 8B C8 // mov rcx, rax ;\nlpAddress 41 B8 04 00 00 00 // mov r8d, 4 ; flNewProtect 48 8B D8 // mov rbx, rax FF 15 ?? ?? ?? ?? // call\ncs:VirtualProtect 4C 8D 8D ?? ?? 00 00 // lea r9, [rbp+0A0h+arg_0] 4C 8B C6 // mov r8, rsi 48 8D 95 ?? ?? 00\n00 // lea rdx, [rbp+0A0h+dwSize] 48 8B CB // mov rcx, rbx E8 ?? ?? ?? ?? // call sub_1800095A0 4D 8B C6 //\nmov r8, r14 33 D2 // xor edx, edx 49 8B CF // mov rcx, r15 E8 ?? ?? ?? ?? // call sub_180038610 33 D2 // xor\nedx, edx ; dwSize 41 B8 00 80 00 00 // mov r8d, 8000h ; dwFreeType 49 8B CF // mov rcx, r15 ; lpAddress FF\n15 ?? ?? ?? ?? // call cs:VirtualFree 48 8B 95 ?? ?? 00 00 // mov rdx, [rbp+0A0h+dwSize] 48 85 D2 // test\nrdx, rdx 74 1B // jz short l_1 48 8B CB // mov rcx, rbx 80 31 ?? // l_0: xor byte ptr [rcx], 39h 48 FF C1 //\ninc rcx 48 8B 95 ?? ?? 00 00 // mov rdx, [rbp+0A0h+dwSize] ; dwSize 48 8B C1 // mov rax, rcx 48 2B C3 // sub\n   Page 5 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware"
	],
	"report_names": [
		"solarwinds-raindrop-malware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434451,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4ba97336916ee24214b540dde87fbc632e3e6b1e.pdf",
		"text": "https://archive.orkl.eu/4ba97336916ee24214b540dde87fbc632e3e6b1e.txt",
		"img": "https://archive.orkl.eu/4ba97336916ee24214b540dde87fbc632e3e6b1e.jpg"
	}
}