{ "id": "931b7e22-0343-4870-a08e-75d62e16c807", "created_at": "2026-04-06T00:09:35.583889Z", "updated_at": "2026-04-10T13:12:12.801983Z", "deleted_at": null, "sha1_hash": "67ee5a9e85ce7c5f7729933fa342794ec4551375", "title": "FireEye, Microsoft create kill switch for SolarWinds backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2477230, "plain_text": "FireEye, Microsoft create kill switch for SolarWinds backdoor\r\nBy Lawrence Abrams\r\nPublished: 2020-12-16 · Archived: 2026-04-05 20:44:22 UTC\r\nMicrosoft, FireEye, and GoDaddy have collaborated to create a kill switch for the SolarWinds Sunburst backdoor that forces\r\nthe malware to terminate itself.\r\nThis past weekend it was revealed that Russian state-sponsored hackers breached SolarWinds and added malicious code to a\r\nWindows DLL file used by their Orion IT monitoring platform.\r\nThis malicious DLL is a backdoor tracked as Solarigate (Microsoft) or Sunburst (FireEye) and was distributed via\r\nSolarWinds' auto-update mechanism to approximately 18,000 customers, including the U.S. Treasury, US NTIA, and the\r\nU.S. Department of Homeland Security.  \r\nhttps://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAs part of a coordinated disclosure with Microsoft and SolarWinds, FireEye released a report on Sunday with an analysis of\r\nthe supply chain attack and how the Sunburst backdoor operates.  This research revealed that the Sunburst backdoor\r\nwould connect to a command and control (C2) server at a subdomain of avsvmcloud[.]com to receive 'jobs', or commands to\r\nexecute.\r\nThe FireEye report also revealed that if the C2 server resolved to an IP address in one of the following ranges, the malware\r\nwould terminate and update a setting, so the malware never executes again.\r\n10.0.0.0/8\r\n172.16.0.0/12\r\n192.168.0.0/16\r\n224.0.0.0/3\r\nfc00:: - fe00::\r\nfec0:: - ffc0::\r\nff00:: - ff00::\r\n20.140.0.0/15\r\n96.31.172.0/24\r\n131.228.12.0/22\r\n144.86.226.0/24\r\nYesterday, the command and control server domain, avsvmcloud[.]com, was seized and now resolves to the IP address\r\n20.140.0.1, which belongs to Microsoft.  This domain takeover allows Microsoft and its partners to sinkhole the malicious\r\ntraffic and analyze it to identify further victims.\r\nDNS lookup of C2\r\nFireEye and Microsoft create a Sunburst kill switch \r\nToday, Brian Krebs was the first to reveal that FireEye, Microsoft, and Godaddy collaborated to create a kill switch for the\r\nSunburst malware.\r\nIn a statement also sent to BleepingComputer, FireEye explains that they used the avsvmcloud[.]com takeover to create a\r\nkill switch that unloads the Sunburst malware on infected machines.\r\n\"SUNBURST is the malware that was distributed through SolarWinds software. As part of FireEye's analysis of\r\nSUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate.\"\r\n\"Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware\r\nwould terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate\r\nSUNBURST infections.\"\r\n\"This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still\r\nbeaconing to avsvmcloud[.]com,\" FireEye told BleepingComputer in a statement.\r\nhttps://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/\r\nPage 3 of 5\n\nWhile FireEye does not provide specific details regarding the kill switch, we can see how the kill switch works from their\r\nprevious analysis.\r\nAs part of this collaboration, GoDaddy has created a wildcard DNS resolution so that any subdomain of avsvmcloud[.]com\r\nresolves to 20.140.0.1. This is illustrated by a DNS lookup for a made-up subdomain, as shown below.\r\nWildcard DNS resolution for avsvmcloud[.]com\r\nDue to this wildcard DNS resolution, when an infected machine tries to connect to its command and control server under the\r\navsvmcloud[.]com domain, the subdomain will always resolve to the 20.140.0.1 IP address. As this IP address is part of the\r\n20.140.0.0/15 range that is on the malware block list, it will cause the malware to terminate and prevent itself from\r\nexecuting again.\r\nMicrosoft IP address ranges were likely added to the block list to prevent their security operations from detecting the\r\nmalicious activity.\r\nFireEye warned that this kill switch would only terminate the original Sunburst infection. Organizations that were already\r\nbreached by the threat actors likely have different methods to access the victim's network.\r\n\"However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to\r\naccess to victim networks beyond the SUNBURST backdoor. This killswitch will not remove the actor from victim\r\nnetworks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage\r\nthe previously distributed versions of SUNBURST,\" FireEye warned about the kill switch.\r\nIf is not known if the victims identified via the sinkhole/kill switch are being notified that they are compromised.\r\nBleepingComputer has contacted Microsoft with questions related to the kill switch but was told they had nothing to share at\r\nthis time.\r\nhttps://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/\r\nhttps://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/" ], "report_names": [ "fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434175, "ts_updated_at": 1775826732, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/67ee5a9e85ce7c5f7729933fa342794ec4551375.pdf", "text": "https://archive.orkl.eu/67ee5a9e85ce7c5f7729933fa342794ec4551375.txt", "img": "https://archive.orkl.eu/67ee5a9e85ce7c5f7729933fa342794ec4551375.jpg" } }