{
	"id": "12a48b1f-8686-4651-bcca-76a30380e00c",
	"created_at": "2026-04-06T00:14:00.751381Z",
	"updated_at": "2026-04-10T03:20:35.612201Z",
	"deleted_at": null,
	"sha1_hash": "d2d200d19c32e65cf629041e35dabbf6af0bbaa6",
	"title": "Overview of Recent Sunburst Targeted Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59472,
	"plain_text": "Overview of Recent Sunburst Targeted Attacks\r\nBy By: Trend Micro Dec 15, 2020 Read time: 3 min (841 words)\r\nPublished: 2020-12-15 · Archived: 2026-04-05 15:41:55 UTC\r\nUpdate on 12/29/2020 2:40 PM PST: Information on Supernova added\r\nUpdate on 1/22/2021 4:56 PM PST: Trend Micro's Zero-Day Initiative (ZDI) provided technical analysis of recently patched\r\nvulnerabilitiesopen on a new tab in the SolarWinds Orion Platform. CVE-2020-14005, one of these vulnerabilities, has been\r\nlinked to the recent SUNBURST cyberattack on SolarWinds. These vulnerabilities, when combined, could allow an\r\nunauthenticated attacker to execute arbitrary code as Administrator on an affected system. \r\nVarious sources have recently disclosed a sophisticated attack that hit organizations via the supply chain. This was carried\r\nout via a compromised version of a network monitoring application called SolarWinds Orion. The attackers used the access\r\nprovided by this application to plant a backdoor known as Sunburst onto affected machines. This backdoor provided the\r\nattacker with complete access to the targeted organization’s network.\r\nWhat is Sunburst?\r\nSunburst is a sophisticated backdoor that provides an attacker nearly complete control over an affected system. It has several\r\npeculiarities in its behavior, however.\r\nBefore it runs, it checks that the process name hash and a registry key have been set to specific values. It will also only run if\r\nthe execution time is twelve or more days after the system was first infected; it will also only run on systems that have been\r\nattached to a domain. This specific set of circumstances makes analysis by researchers more difficult, but it also limits the\r\nscope of its victims to some degree.\r\nIt connects back to its command-and-control server via various domains, which take the following format:\r\n{random strings}.appsync-api.{subdomain}.avsvmcloud.com\r\nThe subdomain is one of the following strings:\r\neu-west-1\r\neu-west-2\r\nus-east-1\r\nus-east-2\r\nOnce in a system, it can both gather information about the affected system and execute various commands. The gathered\r\ninformation includes:\r\nDomain name\r\nNetwork interfaces\r\nRunning processes/services\r\nInstalled drivers\r\nThis gathered information is used either to generate a user ID for the affected machine, or to check against blocklists - if\r\ncertain drivers, processes, or services are found on the machine, the backdoor will cease to function.\r\nThe commands that can be executed include:\r\nRegistry operations (read, write, and delete registry keys/entries)\r\nFile operations (read, write, and delete files)\r\nRun/stop processes\r\nReboot the system\r\nWhat is Supernova?\r\nSupernova, one of the malicious components associated with the attack, is a .NET web shell backdoor that presents itself as\r\na legitimate SolarWinds web service handler. It is a second-stage payload in the attack. Once running, it inspects and\r\nresponds to HTTP requests with appropriate HTTP query strings, cookies, and HTML form values. It can also execute web\r\nshell commands via a specific HTTP request format.\r\nWho is affected?\r\nhttps://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html\r\nPage 1 of 2\n\nIt is believed that Sunburst was delivered via a trojanized version of the Orion network monitoring application. According to\r\nSEC filingsopen on a new tab by SolarWinds, threat actors inserted the malicious code into otherwise legitimate code, which\r\nmeans anyone who downloaded the software was potentially at risk. This was done as part of the build process; the source\r\ncode repository was not affected.\r\nAccording to the SolarWinds SEC filing, this trojanized version was downloaded by under 18,000 customers from March to\r\nJune of 2020. Once this malicious code is present in a system, it runs the behavior described in the first part of this post.\r\nMultiple organizations, including US government agencies, have reported that they were affected by this campaign.\r\nSolutions\r\nIn a security advisoryopen on a new tab, SolarWinds advised all of their affected customers to immediately update their\r\nsoftware to versions that do not contain the malicious code. The advisory also lists the appropriate products and their\r\nversions. Our article titled Managing Risk While Your ITSM Is Down includes suggestions on how to manage network\r\nmonitoring and other IT systems management (ITSM) solutions.\r\nIn addition to this, the US Department of Homeland Security, in a directiveopen on a new tab to US government agencies,\r\nordered that systems with the said software be taken offline and not reconnected to networks until they have been rebuilt.\r\nThe directive treats agencies to treat said machines as compromised, with credentials used by said machines to be changed\r\nas well. Organizations that use SolarWinds Orion within their network may consider similar steps.\r\nThe malicious files associated with this attack are already detected by the appropriate Trend Micro products as\r\nBackdoor.MSIL.SUNBURST.A and Trojan.MSIL.SUPERNOVA.A. In addition to this, the entirety of the domain\r\navsvmcloud.com has been blocked.\r\nIf you believe that your organization may have been affected by this campaign, visit this pageopen on a new tab for the\r\navailable Trend Micro solutions that can help detect and mitigate any risks from this campaign.\r\nIf you’re a Trend Micro Apex One customer, check your product console for a notification to scan your environment for\r\nattack indicators of this campaign.\r\nIndicators of Compromise\r\nThe following hashes are associated with this campaign and are detected by Trend Micro products:\r\nSHA256 SHA1 Trend Micro\r\n019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134  2f1a5a7411d015d01aaee4535835400191645023 Backdoor.MS\r\nc15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 75af292f34789a1c782ea36c7127bf6106f595e8  Trojan.MSIL\r\nce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6  d130bd75645c2433f88ac03e73395fba172ef676 Backdoor.MS\r\n32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 76640508b1e7759e548771a5359eaed353bf1eec Backdoor.MS\r\nd0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 1b476f58ca366b54f34d714ffce3fd73cc30db1a  Backdoor.MS\r\nThe following domain names are associated with this campaign and are also blocked:\r\navsvmcloud[.]com\r\ndatabasegalore[.]com\r\ndeftsecurity[.]com\r\nhighdatabase[.]com\r\nincomeupdate[.]com\r\npanhardware[.]com\r\nthedoccloud[.]com\r\nzupertech[.]com\r\nSource: https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html\r\nhttps://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html"
	],
	"report_names": [
		"overview-of-recent-sunburst-targeted-attacks.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434440,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2d200d19c32e65cf629041e35dabbf6af0bbaa6.pdf",
		"text": "https://archive.orkl.eu/d2d200d19c32e65cf629041e35dabbf6af0bbaa6.txt",
		"img": "https://archive.orkl.eu/d2d200d19c32e65cf629041e35dabbf6af0bbaa6.jpg"
	}
}