{
	"id": "75b2dc24-8f6a-4c4b-82f4-20349420a069",
	"created_at": "2026-04-06T00:13:02.021659Z",
	"updated_at": "2026-04-10T03:21:44.319153Z",
	"deleted_at": null,
	"sha1_hash": "7e7dd5030420d1e909b3257f557daa900135d728",
	"title": "Twenty-three SUNBURST Targets Identified",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 336787,
	"plain_text": "Twenty-three SUNBURST Targets Identified\r\nBy Erik Hjelmvik\r\nPublished: 2021-01-25 · Archived: 2026-04-05 13:58:06 UTC\r\n, \r\nMonday, 25 January 2021 08:25:00 (UTC/GMT)\r\nRemember when Igor Kuznetsov and Costin Raiu announced that two of the victims in FireEye's SUNBURST\r\nIOC list were ***net.***.com and central.***.gov on Kaspersky's Securelist blog in December? Reuters later\r\nreported that these victims were Cox Communications and Pima County.\r\nWe can now reveal that the internal AD domain of all SUNBURST deployments in FireEye's IOC list can be\r\nextracted from publicly available DNS logs published by twitter user VriesHd, a.k.a. \"Kira 2.0\", with help of our\r\nSunburstDomainDecoder tool. The data published by VriesHd is the most complete SUNBURST DNS collection\r\nwe've seen, with over 35.000 avsvmcloud.com subdomains! Here is FireEye's IOC table completed with our\r\nfindings:\r\nLeaked\r\nAD Domain\r\nSunburst C2 FQDN\r\nStage 2\r\nCNAME\r\nTimestamp\r\n(UTC)\r\ncentral.pima.gov\r\n6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com\r\nfreescanonline[.]com\r\n2020-06-13\r\n09:00\r\ncentral.pima.gov\r\n7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com\r\ndeftsecurity[.]com\r\n2020-06-11\r\n22:30\r\ncentral.pima.gov\r\ngq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com\r\nthedoccloud[.]com\r\n2020-06-13\r\n08:30\r\ncoxnet.cox.com\r\nihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com\r\nfreescanonline[.]com\r\n2020-06-20\r\n02:30\r\ncorp.qualys.com\r\nk5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com\r\nthedoccloud[.]com\r\n2020-07-22\r\n17:00\r\ncorp.qualys.com\r\nmhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com\r\nthedoccloud[.]com\r\n2020-07-23\r\n18:30\r\nVictims Targeted with SUNBURST Stage 2 Backdoor\r\nIt was not just the victims listed in FireEye's IOC that were specifically targeted by the SUNBURST operators. As\r\nexplained in our Finding Targeted SUNBURST Victims with pDNS blog post, the \"STAGE2\" flag in\r\nhttps://netresec.com/?b=211cd21\r\nPage 1 of 5\n\nSUNBURST's DNS beacons can be used to reveal additional organizations that were singled out as interesting\r\ntargets by the threat actors.\r\nWe'd like to stress that the majority of all companies and organizations that have installed a backdoored\r\nSolarWinds Orion update were never targeted by the threat actors. This means the these SUNBURST backdoors\r\nnever made it past what we call \"Stage 1 operation\", where the backdoor encodes the internal AD domain name\r\nand installed security products into DNS requests. SUNBURST backdoors in Stage 1 operation cannot accept any\r\ncommands from the C2 server without first progressing into Stage 2 operation. We estimate that about 99.5% of\r\nthe installed SUNBURST backdoors never progressed into Stage 2 operation.\r\nHere is the full list of internal AD domain names from the SUNBURST deployments in VriesHd's DNS data that\r\nactually did enter Stage 2 operation according to our analysis:\r\ncentral.pima.gov (confirmed)\r\ncisco.com (confirmed)\r\ncorp.qualys.com (confirmed)\r\ncoxnet.cox.com (confirmed)\r\nddsn.gov\r\nfc.gov\r\nfox.local\r\nggsg-us.cisco.com (confirmed)\r\nHQ.FIDELIS (confirmed)\r\njpso.gov\r\nlagnr.chevrontexaco.net\r\nlogitech.local\r\nlos.local\r\nmgt.srb.europa* (confirmed)\r\nng.ds.army.mil\r\nnsanet.local (not the NSA)\r\npaloaltonetworks* (confirmed)\r\nphpds.org\r\nscc.state.va.us (confirmed)\r\nsuk.sas.com\r\nhttps://netresec.com/?b=211cd21\r\nPage 2 of 5\n\nvgn.viasatgsd.com\r\nwctc.msft\r\nWincoreWindows.local\r\nOur SUNBURST STAGE2 Victim Table has now been updated with additional details about the STAGE2\r\nsignaling from these SUNBURST implants, including timestamps, avsvmcloud.com subdomains and GUID\r\nvalues.\r\nInitial Microsoft Targeting FAIL\r\nThe last two entries in the AD domain list above are interesting, since they both hint that the targeted entity might\r\nbe Microsoft.\r\nThe data that gets exfiltrated in DNS beacons during SUNBURST's initial stage is the internal domain the\r\nSolarWinds Orion PC is connected to and a list of installed security products on that PC. These domain names,\r\nsecurity products and possibly also the victims' public IP addresses, was the data available to the attackers when\r\nthey decided which ones they wanted to proceed to Stage 2 with and thereby activate the HTTPS backdoor built\r\ninto SUNBURST.\r\nThe threat actors were probably surprised when they realized that \"WincoreWindows.local\" was in fact a company\r\nin West Virginia that manufactures high quality windows and doors.\r\nThe threat actors later found another backdoored SolarWinds Orion machine connected to a domain called\r\n\"wctc.msft\", which also sounds like it could be Microsoft. Below is a table outlining relevant events for these two\r\nhttps://netresec.com/?b=211cd21\r\nPage 3 of 5\n\nSUNBURST deployments that can be extracted from VriesHd's SB2 spreadsheet with SunburstDomainDecoder.\r\nTarget ID Beaconed Data Date\r\nA887B592B7E5B550 AD domain part 1: \"WincoreW\"\r\nA887B592B7E5B550 AD domain part 2: \"indows.local\"\r\nA887B592B7E5B550 AV Products: [none] 2020-05-22\r\n🤔 Threat actor decision: Target victim A887B592B7E5B550\r\nA887B592B7E5B550 STAGE2 request for new C2 server in CNAME 2020-05-26\r\n🤔 Threat actor decision: These aren't the droids we're looking for\r\n59956D687A42F160 AD domain: \"wctc.msft\"\r\n59956D687A42F160 AV Products: [none] 2020-06-20\r\n59956D687A42F160 Ping 2020-06-21\r\n59956D687A42F160 Ping 2020-06-22\r\n🤔 Threat actor decision: Target victim 59956D687A42F160\r\n59956D687A42F160 STAGE2 request for new C2 server in CNAME 2020-06-23\r\nMicrosoft have been public about being hit by SUNBURST (or \"Solorigate\" as they call it), so we can assume that\r\nthe threat actors eventually located a backdoored SolarWinds Orion installation in their networks.\r\nVictim Notification\r\nWe spent the previous week reaching out to targeted companies and organizations, either directly or through\r\nCERT organizations. From what we understand many of these organizations were already aware that they had\r\nbeen targeted victims of SUNBURST, even though they might not have gone public about the breach.\r\nThe Ethical Dilemma\r\nWe have no intentions to shame the organizations that have installed a backdoored SolarWinds Orion update,\r\nregardless if they were targeted by the threat actor or not. In fact, the supply chain security problem is an\r\nextremely difficult one to tackle, even for companies and organizations with very high security standards. This\r\ncould have happened to anyone!\r\nHowever, since multiple passive DNS logs and SUNBURST victim lists have been circulating through publicly\r\navailable channels for over a month, we felt that it was now acceptable to publicly write about the analysis we've\r\nbeen doing based on all this data. We'd also like to thank everyone who has helped collect and share passive DNS\r\ndata, including John Bambenek, Joe Słowik, Rohit Bansal, Dancho Danchev , Paul Vixie and VriesHd. This open\r\ndata has been crucial in order to develop and verify our SunburstDomainDecoder tool, which has been leveraged\r\nhttps://netresec.com/?b=211cd21\r\nPage 4 of 5\n\nby numerous incident response teams to perform forensic analysis of DNS traffic from their SolarWinds Orion\r\ndeployments.\r\nMore Credits\r\nWe'd like to thank CERT-SE and all other computer emergency response organizations that have helped us with\r\nthe task of notifying organizations that were identified as targeted. We would also like to applaud companies and\r\norganizations like FireEye, Palo Alto Networks, Fidelis Cybersecurity, Microsoft, the U.S. Department of Energy\r\nand the U.S. Federal Courts for being transparent and publicly announcing that the SUNBURST backdoor had\r\nbeen used in an attempt to compromise their networks.\r\nPosted by Erik Hjelmvik on Monday, 25 January 2021 08:25:00 (UTC/GMT)\r\nTags: #SUNBURST#FireEye#Solorigate#Microsoft#SolarWinds#FireEye#CNAME#STAGE2#DNS#Passive\r\nDNS#avsvmcloud.com#pDNS#Microsoft\r\nSource: https://netresec.com/?b=211cd21\r\nhttps://netresec.com/?b=211cd21\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://netresec.com/?b=211cd21"
	],
	"report_names": [
		"?b=211cd21"
	],
	"threat_actors": [],
	"ts_created_at": 1775434382,
	"ts_updated_at": 1775791304,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e7dd5030420d1e909b3257f557daa900135d728.pdf",
		"text": "https://archive.orkl.eu/7e7dd5030420d1e909b3257f557daa900135d728.txt",
		"img": "https://archive.orkl.eu/7e7dd5030420d1e909b3257f557daa900135d728.jpg"
	}
}