{
	"id": "80549402-c4e7-4e6f-8520-eafa4963ca20",
	"created_at": "2026-04-06T00:15:22.011267Z",
	"updated_at": "2026-04-10T13:12:09.048999Z",
	"deleted_at": null,
	"sha1_hash": "8ead2b21f4e914344c7e04b3a08a84e01d24c545",
	"title": "Sunburst: Supply Chain Attack Targets SolarWinds Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60492,
	"plain_text": "Sunburst: Supply Chain Attack Targets SolarWinds Users\r\nBy About the Author\r\nArchived: 2026-04-05 13:31:59 UTC\r\nUPDATE December 16 2020: Our blog has been updated with analysis of the Teardrop second-stage malware\r\nand an example of the post-compromise attack chain. We have also provided clarification on the use of Symantec’s\r\nname in a certificate used to sign the SolarWinds software.\r\nThousands of organizations have been affected by a supply chain attack that compromised the update mechanism\r\nfor SolarWinds Orion software in order to deliver a backdoor Trojan known as Sunburst (Backdoor.Sunburst) (aka\r\nSolorigate).\r\nDetails on the attacks were disclosed yesterday (December 13) by the security firm FireEye. SolarWinds has also\r\npublished a security advisory for its customers.\r\nThe campaign has been underway since at least March 2020. Any Orion user who downloaded an update in this\r\nperiod is likely to have been infected with Sunburst. According to FireEye, the attackers conducted further\r\nmalicious activity on a subset of victim organizations that were of interest to them.\r\nBy their nature, supply chain attacks are indiscriminate and will infect any user of the compromised software.\r\nThey are carried out in order to provide the attacker with access to a large number of organizations, a subset of\r\nwhich will be identified as targets of interest for further compromise.\r\nThe Trojanized software was signed by a certificate marked as being issued by Symantec. Symantec sold its\r\ncertificate authority business to Digicert in 2018. The certificate in question was a legacy certificate still using the\r\nSymantec brand name. Symantec has contacted Digicert, which has confirmed that it is investigating the issue.\r\nSymantec has identified more than 2,000 computers at over 100 customers that received Trojanized software\r\nupdates. We have found a small number of organizations where a second stage payload (Backdoor.Teardrop) was\r\nused.\r\nSunburst analysis\r\nAn existing SolarWinds DLL called SolarWinds.Orion.Core.BusinessLayer.dll was modified by the attackers to\r\ninclude an added class. \r\nThe malware is designed to remain inactive for a period after installation. It will then attempt to resolve a\r\nsubdomain of avsvmcloud[.]com. The DNS response will deliver a CNAME record that directs to a command and\r\ncontrol (C\u0026C) domain.\r\nIn SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInterval() code is\r\nadded to call OrionImprovementBusinessLayer.Initialize().\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds\r\nPage 1 of 4\n\nOrionImprovementBusinessLayer is a malicious class added by the attacker. It has the following functionality:\r\nTerminates the backdoor thread\r\nSet delay time before execution\r\nCollect and upload system information including:\r\nDomain\r\nSID of administrator account\r\nHostname\r\nUsername\r\nOperating system version\r\nPath of system directory\r\nDays elapsed since the system started\r\nInformation on network adapters, including:\r\nDescription\r\nMACAddress\r\nDHCPEnabled\r\nDHCPServer\r\nDNSHostName\r\nDNSDomainSuffixSearchOrder\r\nDNSServerSearchOrder\r\nIPAddress\r\nIPSubnet\r\nDefaultIPGateway\r\nDownload and run code\r\nIterate the file system\r\nCreate and delete files\r\nCalculate file hashes\r\nRead, write, and delete registry entries\r\nReboot the system\r\nSecond-stage payload: Teardrop\r\nA second stage payload, a backdoor called Teardrop, is deployed against a targets of interest to the attackers.\r\nSymantec has observed two variants of Teardrop, both of which behave similarly and are used to deliver a further\r\npayload – the Cobalt Strike commodity malware.\r\nThe first variant (SHA256: b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07) is a\r\nDLL. The malicious code is contained in the export Tk_CreateImageType, ordinal 209. When executed, that\r\nmalicious code reads a file named upbeat_anxiety.jpg from the current directory and ensures it has a jpg header. It\r\nwill also check that the registry key HKCU\\Software\\Microsoft\\CTF exists. An embedded copy of Cobalt Strike is\r\nthen extracted and executed. That CobaltStrike sample connects to infinitysoftwares[.]com for command and\r\ncontrol.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds\r\nPage 2 of 4\n\nThe second variant (SHA256:1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c) is\r\nsimilar, except that the file it loads is called festive_computer.jpg. The embedded CobaltStrike payload connects to\r\nervsystem[.]com for command and control.\r\nPost-compromise attack chain\r\nThe post-compromise attack chain for one computer investigated saw the initial Sunburst malware, a modified\r\nsolarwinds.orion.core.businesslayer.dll, installed through the Orion update process on the victim computer on the\r\n7th of the month.\r\nOn the 28th of the month, 21 days later, the legitimate executable solarwinds.businesslayerhost.exe, which loads\r\nthe malicious DLL, created a copy of Teardrop in a file called cbsys.dll, in the c:\\windows\\panther folder. This\r\nfilename and path appear to be unusual since most instances of Teardrop were created in a file called\r\nnetsetupsvc.dll in the c:\\windows\\syswow64 folder, as documented by FireEye.\r\nThe Backdoor.Teardrop sample is a DLL with malicious code contained in the export Tk_CreateImageType. When\r\nexecuted, that export reads a file named upbeat_anxiety.jpg from the current directory and ensures it has a jpg\r\nheader. It will also check that the registry key HKCU\\Software\\Microsoft\\CTF exists. An embedded copy of\r\nCobalt Strike is then extracted. That CobaltStrike samples connects a C\u0026C server - infinitysoftwares[.]com.\r\nAt this point, the attackers launch WMI to execute rundll32.exe to load another malicious DLL called\r\nresources.dll in the path csidl_windows\\desktoptileresources\\. Resources.dll attempts to obtain credentials by\r\naccessing lsass.exe using similar techniques to Mimikatz, a widely used credential dumping tool.\r\nAdfind, a tool that is able to query Active Directory, is then introduced to the system as searchindex.exe and then\r\nexecuted (cmd.exe /c SearchIndex.exe -sc u:\u003cremoved\u003e \u003e .\\h.txt). Results are saved in the file h.txt. Using this\r\ninformation, the attackers are attempting to gain elevated privileges (e.g. domain administrator) to access the\r\ndomain or laterally traverse the environment.\r\nRecommended actions\r\nOrion users should update to Orion Platform version 2020.2.1 HF 2. \r\nOrion users should check their networks for indications of post-compromise activity, including:\r\nUse of Teardrop in-memory malware to drop Cobalt Strike Beacon.\r\nCommand and control (C\u0026C) infrastructure leaks the configured hostname in RDP SSL certificates.\r\nScanning for your organization’s hostnames can uncover malicious IP addresses used by the attackers,\r\nindicating post-compromise activity.\r\nGeolocation of IP addresses used for remote access may reveal if a compromised account is being\r\nsimultaneously used by a legitimate user and the attackers.\r\nThe attackers use multiple IP addresses per VPS provider. If a malicious login from an unusual ASN is\r\nidentified, other logins from that ASN may also be malicious.\r\nLogs for SMB sessions may show access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short period of time.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds\r\nPage 3 of 4\n\nIt should be borne in mind that although there may be some commonalities in post-compromise activity, each\r\nvictim is likely to see different patterns in activity. That activity is likely to involve heavy use of living-off-the-land techniques to minimize the likelihood of being detected, something the attackers seem to be prioritizing\r\nbased on how they conducted the first stages of the attack.\r\nProtection/Mitigation\r\nTools associated with these attacks will be detected and blocked on machines running Symantec Endpoint\r\nproducts.\r\nFile-based protection:\r\nBackdoor.Sunburst\r\nBackdoor.Sunburst!gen1\r\nBackdoor.SuperNova\r\nBackdoor.Teardrop\r\nNetwork-based protection:\r\nSystem Infected: Sunburst Malware Activity\r\nIndicators of Compromise\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds"
	],
	"report_names": [
		"sunburst-supply-chain-attack-solarwinds"
	],
	"threat_actors": [],
	"ts_created_at": 1775434522,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8ead2b21f4e914344c7e04b3a08a84e01d24c545.pdf",
		"text": "https://archive.orkl.eu/8ead2b21f4e914344c7e04b3a08a84e01d24c545.txt",
		"img": "https://archive.orkl.eu/8ead2b21f4e914344c7e04b3a08a84e01d24c545.jpg"
	}
}