{
	"id": "9ea38b01-1624-4d26-a9de-e35f9a0eb070",
	"created_at": "2026-04-06T00:16:22.643364Z",
	"updated_at": "2026-04-10T03:35:29.010926Z",
	"deleted_at": null,
	"sha1_hash": "733d0a327fc5f860b28174e52b0ab679d240bba5",
	"title": "Sunburst Malware: Inside the SolarWinds Supply Chain Breach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4344800,
	"plain_text": "Sunburst Malware: Inside the SolarWinds Supply Chain Breach\r\nPublished: 2025-10-22 · Archived: 2026-04-05 19:42:25 UTC\r\nWhen cybersecurity historians look back at the 2020s, the SolarWinds breach — driven by the Sunburst\r\nbackdoor — will stand out as the moment the world realized how fragile software trust chains can be.\r\nAttackers didn’t just compromise one network; they turned a trusted update mechanism into a global delivery\r\nsystem for espionage.\r\nAs someone who has worked in cloud forensics and supply chain defense, I often describe Sunburst as “a\r\nsymphony of silence” — precise, patient, and devastatingly effective.\r\nThe Trojan Inside a Trusted Update\r\nThe attack began when adversaries successfully injected malicious code into SolarWinds Orion, a widely used\r\nIT monitoring software.\r\nThis wasn’t a rushed exploit; it was a carefully timed insertion inside an otherwise legitimate DLL —\r\nSolarWinds.Orion.Core.BusinessLayer.dll.\r\nThat DLL, signed with SolarWinds’ valid certificate, was distributed via routine software updates.\r\nWhen administrators installed the patch named SolarWinds-Core-v2019.4.5220-Hotfix5.msp, they unknowingly\r\ndeployed a backdoor into their own systems.\r\nThe malware was not obfuscated; it was written in .NET, easily decompiled by tools like ILSpy.\r\nThis allowed researchers to reconstruct and analyze it line by line.\r\nOnce loaded, it executed quietly within the legitimate process SolarWinds.BusinessLayerHost.exe, blending into\r\nthe software’s normal behavior.\r\nhttps://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware\r\nPage 1 of 6\n\nHow the Backdoor Stayed Hidden\r\nSunburst’s stealth was rooted in timing and precision.\r\nAfter being loaded, the malicious code waited between 12 to 14 days before activating.\r\nThis random delay, ranging from 288 to 336 hours, was a clever tactic — delaying detection by security teams and\r\nautomated scanners.\r\nThe malware maintained an internal reporting state called ReportWatcherRetry, which determined its next action.\r\nIf the state was “New,” it began communication; if “Truncate,” it shut down network operations and disabled\r\ndefenses.\r\nTo appear inactive, it would “sleep” for random intervals between 30 minutes and 2 hours.\r\nIn Hindi, one could say “yeh malware sota bhi hai, par sapne nahi dekhta” — it sleeps, but it never stops\r\nwatching.\r\nThe Identity Behind the Attack: User ID Generation\r\nEach infected system generated a unique 8-byte User ID derived from:\r\n1. The machine’s MAC address,\r\n2. Its domain name, and\r\n3. A Windows installation UUID.\r\nThe result looked random but stayed consistent unless the OS or network hardware changed.\r\nThis permanent fingerprint allowed attackers to track individual hosts without obvious identifiers — a masterclass\r\nin covert telemetry.\r\nDomain Generation and Command Control\r\nSunburst’s CryptoHelper class produced domain names dynamically, blending cryptography with randomness.\r\nThe process began by querying api.solarwinds.com. If resolution failed, the malware went dormant — another\r\nhttps://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware\r\nPage 2 of 6\n\nlayer of self-preservation.\r\nDomains were created using a custom base64 alphabet (ph2eifo3n5utg1j8d94qrvbmk0sal76c), combined with\r\nencoded host data.\r\nA generated domain could look like:\r\nk1sdhtslulgqoagyn2huov.appsync-api.us-east-1.avsvmcloud.com\r\nThis structure resembled legitimate AWS API endpoints — masking malicious traffic among genuine cloud\r\nrequests.\r\nExample of Generated Domains\r\nExample Hostname\r\nC2\r\nRegion\r\nMimicked\r\nService\r\nfivu4vjamve5vfrtn2huov.appsync-api.eu-west-1.avsvmcloud.com\r\nEU AWS AppSync\r\nk1sdhtslulgqoagyn2huov.appsync-api.us-east-1.avsvmcloud.com\r\nUS East AWS AppSync\r\nEach new domain resolved to an IP address. If the IP matched specific subnet patterns, the malware interpreted it\r\nas a coded instruction — to activate, sleep, or disable tools.\r\nAdaptive Behavior: The Address Family Logic\r\nSunburst assigned “address families” based on IP subnets.\r\nFor example, IPs like 20.140.0.1 mapped to the ImpLink family, triggering specific routines.\r\nAddresses within private ranges (10.x.x.x or 192.168.x.x) were marked as Atm, used for stealth actions.\r\nThis subtle design allowed the attackers to control malware behavior remotely through DNS alone — a\r\ntechnique rarely seen in earlier backdoors.\r\nDisabling Defenses: Privilege Escalation and Registry Manipulation\r\nhttps://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware\r\nPage 3 of 6\n\nWhen Sunburst determined it was safe to proceed, it elevated privileges using Windows APIs:\r\nAdjustTokenPrivileges() granted SeRestorePrivilege and SeTakeOwnershipPrivilege, enabling full control over\r\nprotected services.\r\nIt then enumerated local user accounts via WMI queries (Select * From Win32_UserAccount) to locate the\r\nAdministrator SID (ending with -500).\r\nOnce found, it reassigned ownership of antivirus registry keys, disabling services like Windows Defender by\r\nsetting their Start values to 4 — effectively turning them off.\r\nThis operation was powered by the Fowler–Noll–Vo hash algorithm, which compared hashed process names to a\r\npredefined blacklist.\r\nEven the hash for MsMpEng (Windows Defender’s core process) — 5183687599225757871 — was explicitly\r\nembedded in the malware.\r\nHTTP Backdoor and System Reconnaissance\r\nIf the domain resolution returned a “NetBios” family IP, Sunburst initialized its HTTP backdoor, communicating\r\nthrough encrypted HTTPS requests.\r\nCommands like CollectSystemDescription gathered exhaustive system data:\r\nDomain and username\r\nOS version\r\nProxy configurations\r\nNetwork adapters and IPs\r\nA sample output sent to attackers might look like:\r\nDESKTOP-VL39FPO | UserName | Windows 10 64-bit | 192.168.20.30 | 8.8.8.8 | DHCP: True\r\nhttps://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware\r\nPage 4 of 6\n\nIt also supported commands like GetProcessByDescription, listing processes with paths and parent PIDs — a\r\nreconnaissance method to map active defenses.\r\nStaging the Second Attack\r\nSunburst wasn’t the final payload.\r\nIt included commands like WriteFile and RunTask, enabling attackers to deploy and execute second-stage\r\nmalware directly.\r\nThese payloads were often tailored for specific environments, extending control to email servers, identity\r\nplatforms, and domain controllers.\r\nIf persistence was needed, registry manipulation ensured the payload would re-execute after reboot.\r\nIn short, Sunburst was the silent courier — the delivery boy of a much larger operation.\r\nLessons from Sunburst: Supply Chain and Cloud Vigilance\r\nThe Sunburst breach wasn’t a simple intrusion — it was a paradigm shift.\r\nBy compromising a software vendor’s build system, attackers reached thousands of organizations without\r\nbreaking into a single firewall.\r\nThis proved that trust is the new attack surface.\r\nToday, modern security frameworks like Zero Trust Architecture and Software Bill of Materials (SBOM) have\r\nemerged in direct response.\r\nVendors now integrate code-signing validation, runtime monitoring, and DevSecOps pipelines that scan build\r\nenvironments for anomalies.\r\nAs I often tell my students: “Yeh incident ne sikhaya — verification bina trust nahi” (This incident taught us that\r\nwithout verification, trust means nothing).\r\nThe Future: AI and Supply Chain Defense\r\nhttps://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware\r\nPage 5 of 6\n\nAI-driven analytics now allow defenders to trace subtle behavioral shifts across millions of endpoints —\r\nsomething manual review could never achieve.\r\nBy mapping communication graphs and DGA patterns, machine learning can now flag anomalies before they turn\r\ninto breaches.\r\nBut technology alone isn’t enough.\r\nTrue resilience requires cultural change: transparency in vendor ecosystems and collaboration across global\r\nCERTs.\r\nSource: https://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware\r\nhttps://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware\r\nPage 6 of 6\n\nNetwork A sample output adapters and sent to attackers IPs might look like:  \nDESKTOP-VL39FPO | UserName | Windows 10 64-bit | 192.168.20.30 | 8.8.8.8 | DHCP: True\n   Page 4 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware"
	],
	"report_names": [
		"sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434582,
	"ts_updated_at": 1775792129,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/733d0a327fc5f860b28174e52b0ab679d240bba5.pdf",
		"text": "https://archive.orkl.eu/733d0a327fc5f860b28174e52b0ab679d240bba5.txt",
		"img": "https://archive.orkl.eu/733d0a327fc5f860b28174e52b0ab679d240bba5.jpg"
	}
}