{
	"id": "8f030ab6-6aa9-4f2d-891f-1a6868fc78c6",
	"created_at": "2026-04-06T00:17:45.755149Z",
	"updated_at": "2026-04-10T03:21:42.173298Z",
	"deleted_at": null,
	"sha1_hash": "a32746894f7758d311d7f27ef9ea3040b7d8090f",
	"title": "SolarWinds SUNBURST Backdoor: Inside the APT Campaign - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2107785,
	"plain_text": "SolarWinds SUNBURST Backdoor: Inside the APT Campaign -\r\nSentinelLabs\r\nBy James Haughom\r\nPublished: 2020-12-18 · Archived: 2026-04-05 13:51:45 UTC\r\nKey findings:\r\nWithout any updates, SentinelOne customers are protected from SUNBURST; additionally, our customers\r\nhave been supplied bespoke in-product hunting packs for real-time artifact observability.\r\nThe malware deployed through the SolarWinds Orion platform waits 12 days before it executes. This\r\ncommon phenomenon is a prime example of why lengthy EDR data retention is critical.\r\nAfter the 12-day dormant period, SUNBURST’s malicious code looks for processes, services, and drivers.\r\nYou can find each list at the end of this research.\r\nList of processes: includes mostly monitoring tools like Sysinternals and researchers tools. If they\r\nare seen, SUNBURST exits and does not run.\r\nList of services: includes security products that have weak anti-tamper measures. SUNBURST\r\ngoes to the registry and tries to disable them. The backdoor may have bypassed these products, or at\r\nleast tried to. SentinelOne is not on this list, and even if it was, SentinelOne’s anti-tamper capability\r\nprotects from such attempts (without any special configuration needed).\r\nList of drivers: The third list is shorter and includes a list of drivers; among them is SentinelOne.\r\nWhen SUNBURST sees the drivers, it exits before initiating any C2 communication or enabling\r\nadditional payloads.\r\nThe following analysis demonstrates the above key findings.\r\nReversing SUNBURST\r\nInteresting functionality resides within the UpdateNotification() and Update() methods; more specifically,\r\nthe true payload lies within an important while() loop. \r\nhttps://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/\r\nPage 1 of 11\n\nThe TrackProcesses() method (called both by Update and UpdateNotification ) is responsible for querying\r\nthe running processes on the victim’s machine to find process, service, and driver names of interest. This routine\r\nwill get a list of running process objects, then pass it to three methods below for identifying blacklisted\r\nprocesses/services. These methods will return true if a blacklisted process/service is found, causing the malware to\r\nbreak out of the Update() loop.\r\nThe hash of each process name is calculated, and then checked against a blacklist of hardcoded hashes. If the\r\ncalculated hash is present in the blacklist, this method will return true.\r\nhttps://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/\r\nPage 2 of 11\n\nIn the SearchServices() method, the malware leverages the same hashing technique to identify services of\r\ninterest, then tries to manually disable the service through modifying its registry key.\r\nBelow, the SetValue() method is used with argument 4 for the Start entry, thus disabling the service through\r\nthe registry.\r\nhttps://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/\r\nPage 3 of 11\n\nIn order to ensure that this works as intended, the malware attempts to take ownership of the registry key before\r\ndisabling the service.\r\nLastly, SearchConfigurations() is used to identify blacklisted drivers.  This is performed through the WMI\r\nquery – Select * From Win32_SystemDriver , which is obfuscated in the below screenshot as\r\nC07NSU0uUdBScCvKz1UIz8wzNooPriwuSc11KcosSy0CAA==. The file name is obtained for each driver, and\r\nif this driver is found in the blacklist, this method will return true. As mentioned before, returning true causes the\r\nmalware to break out of the Update() loop prior to initiating the true backdoor code.  Our driver\r\nSentinelMonitor.sys is hardcoded in the blacklist, meaning that the malware will not fully execute its payload\r\non endpoints protected by SentinelOne so long as our driver is loaded.\r\nhttps://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/\r\nPage 4 of 11\n\nIf this blacklist check is passed, only then is the backdoor code initiated. The first interesting action the backdoor\r\ncode takes is to call out to C2 to receive instructions/commands that will be parsed and passed to the job engine. \r\nThis C2 callout is to a URL generated at runtime by the malware’s DGA, which will end up being a subdomain of\r\navsvmcloud[.]com.  We have observed no endpoints monitored by SentinelOne calling out to any subdomain of\r\n*.avsvmcloud[.]com.\r\nDuring the research, we extracted all hashes from the malware, then calculated components in our agent found in\r\nC:Program FilesSentinelOne* to match.  The only SentinelOne-related hash found was the driver name that\r\nFireEye shared.\r\nSnip of hardcoded hashes extracted from the malware:\r\nHashing function extracted from the malware:\r\nhttps://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/\r\nPage 5 of 11\n\nResults of the tool:\r\n\u003e .fnva_hash_s1.exe\r\n12343334044036541897 matched --\u003e SentinelMonitor.sys\r\nList of processes: SunBurst Exits\r\napimonitor-x64\r\napimonitor-x86\r\nautopsy64\r\nautopsy\r\nautoruns64\r\nautoruns\r\nautorunsc64\r\nautorunsc\r\nbinaryninja\r\nblacklight\r\ncff\r\ncutter\r\nde4dot\r\ndebugview\r\ndiskmon\r\ndnsd\r\ndnspy\r\ndotpeek32\r\ndotpeek64\r\ndumpcap\r\nevidence\r\nexeinfope\r\nfakedns\r\nhttps://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/\r\nPage 6 of 11\n\nfakenet\r\nffdec\r\nfiddler\r\nfileinsight\r\nfloss\r\ngdb\r\n*NO MATCH*\r\nhiew32\r\n*NO MATCH*\r\nidaq64\r\nidaq\r\nidr\r\nildasm\r\nilspy\r\njd-gui\r\nlordpe\r\nofficemalscanner\r\nollydbg\r\npdfstreamdumper\r\npe-bear\r\npebrowse64\r\npeid\r\npe-sieve32\r\npe-sieve64\r\npestudio\r\npeview\r\npexplorer\r\nppee\r\nppee\r\nprocdump64\r\nprocdump\r\nprocesshacker\r\nprocexp64\r\nprocexp\r\nprocmon\r\nprodiscoverbasic\r\npy2exedecompiler\r\nr2agent\r\nrabin2\r\nradare2\r\nramcapture64\r\nramcapture\r\nhttps://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/\r\nPage 7 of 11\n\nreflector\r\nregmon\r\nresourcehacker\r\nretdec-ar-extractor\r\nretdec-bin2llvmir\r\nretdec-bin2pat\r\nretdec-config\r\nretdec-fileinfo\r\nretdec-getsig\r\nretdec-idr2pat\r\nretdec-llvmir2hll\r\nretdec-macho-extractor\r\nretdec-pat2yara\r\nretdec-stacofin\r\nretdec-unpacker\r\nretdec-yarac\r\nrundotnetdll\r\nsbiesvc\r\nscdbg\r\nscylla_x64\r\nscylla_x86\r\nshellcode_launcher\r\nsolarwindsdiagnostics\r\nsysmon64\r\nsysmon\r\ntask\r\ntask\r\ntcpdump\r\ntcpvcon\r\ntcpview\r\nvboxservice\r\nwin32_remote\r\nwin64_remotex64\r\nwindbg\r\nwindump\r\nwinhex64\r\nwinhex\r\nwinobj\r\nwireshark\r\nx32dbg\r\nx64dbg\r\nxwforensics64\r\nhttps://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/\r\nPage 8 of 11\n\nxwforensics\r\nredcloak\r\navgsvc\r\navgui\r\navgsvca\r\navgidsagent\r\navgsvcx\r\navgwdsvcx\r\navgadminclientservice\r\nafwserv\r\navastui\r\navastsvc\r\naswidsagent\r\naswidsagenta\r\naswengsrv\r\navastavwrapper\r\nbccavsvc\r\npsanhost\r\npsuaservice\r\npsuamain\r\navp\r\navpui\r\nksde\r\nksdeui\r\ntanium\r\ntaniumclient\r\ntaniumdetectengine\r\ntaniumendpointindex\r\ntaniumtracecli\r\ntaniumtracewebsocketclient64\r\nList of services: SunBurst tries to bypass\r\nThe list includes Windows Defender, Carbon Black, CrowdStrike, FireEye, ESET, F-SECURE, and more.\r\napimonitor-x64\r\napimonitor-x86\r\nautopsy64\r\nautopsy\r\nautoruns64\r\nautoruns\r\nfsgk32st\r\nfswebuid\r\nhttps://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/\r\nPage 9 of 11\n\nfsgk32\r\nfsma32\r\nfssm32\r\nfnrb32\r\nfsaua\r\nfsorsp\r\nfsav32\r\nekrn\r\neguiproxy\r\negui\r\nxagt\r\nxagtnotif\r\ncsfalconservice\r\ncsfalconcontainer\r\ncavp\r\ncb\r\nmssense\r\nmsmpeng\r\nwindefend\r\nsense\r\ncarbonblack\r\ncarbonblackk\r\ncbcomms\r\ncbstream\r\ncsagent\r\ncsfalconservice\r\nxagt\r\nfe_avk\r\nfekern\r\nfeelam\r\neamonm\r\neelam\r\nehdrv\r\nekrn\r\nekrnepfw\r\nepfwwfp\r\nekbdflt\r\nepfw\r\nfsaua\r\nfsma\r\nfsbts\r\nfsni\r\nhttps://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/\r\nPage 10 of 11\n\nfsvista\r\nfses\r\nfsfw\r\nfsdfw\r\nfsaus\r\nfsms\r\nfsdevcon\r\nList of drivers: SunBurst Exits\r\ncybkerneltracker.sys\r\natrsdfw.sys\r\neaw.sys\r\nrvsavd.sys\r\ndgdmk.sys\r\nsentinelmonitor.sys\r\nhexisfsmonitor.sys\r\ngroundling32.sys\r\ngroundling64.sys\r\nsafe-agent.sys\r\ncrexecprev.sys\r\npsepfilter.sys\r\ncve.sys\r\nbrfilter.sys\r\nbrcow_x_x_x_x.sys\r\nlragentmf.sys\r\nlibwamf.sys\r\nIOCs/Hunt:\r\n1. Search for the presence of the Injected class of weaponized DLL on OrionImprovementBusinessLayer class\r\nin the SolarWinds.Orion.Core.BusinessLayer namespace –  Indicates weaponized .NET assembly/DLL\r\n2. Hardcoded named pipe name 583da945-62af-10e8-4902-a8f205c72b2e – Does not indicate that the\r\nbackdoor code was initiated, but is the first action taken after the 12-14 day dormant period.\r\n3. Review proxy/web gateway logs for traffic to subdomains of this domain.  This indicates that the backdoor\r\ncode was indeed executed – avsvmcloud[.]com\r\n4. Executed during blacklist check routine in the context of the process businesslayerhost.exe :\r\nSelect * From Win32_SystemDriver – WMI query to identify blacklisted drivers\r\nSource: https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/\r\nhttps://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/"
	],
	"report_names": [
		"solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434665,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a32746894f7758d311d7f27ef9ea3040b7d8090f.pdf",
		"text": "https://archive.orkl.eu/a32746894f7758d311d7f27ef9ea3040b7d8090f.txt",
		"img": "https://archive.orkl.eu/a32746894f7758d311d7f27ef9ea3040b7d8090f.jpg"
	}
}