{ "id": "14f321fb-5a14-4eac-beb3-a7df82a8d919", "created_at": "2026-04-06T00:09:09.816237Z", "updated_at": "2026-04-10T03:37:33.205369Z", "deleted_at": null, "sha1_hash": "db32004ee00ba0bb804ad1363b34ba6a11bf73f8", "title": "Finding Targeted SUNBURST Victims with pDNS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 129388, "plain_text": "Finding Targeted SUNBURST Victims with pDNS\r\nBy Erik Hjelmvik\r\nPublished: 2021-01-04 · Archived: 2026-04-05 18:48:38 UTC\r\n, \r\nMonday, 04 January 2021 21:11:00 (UTC/GMT)\r\nOur SunburstDomainDecoder tool can now be used to identify SUNBURST victims that have been\r\nexplicitly targeted by the attackers. The only input needed is passive DNS (pDNS) data for avsvmcloud.com\r\nsubdomains.\r\nCompanies and organizations that have installed trojanized a SolarWinds Orion update containing the SUBURST\r\nbackdoor will send DNS queries for seemingly random subdomains of avsvmcloud.com. Some of these DNS\r\nqueries actually contain the victim's internal AD domain encoded into the subdomain, as explained in our blog\r\npost Reassembling Victim Domain Fragments from SUNBURST DNS.\r\nThree Stages of SUNBURST Backdoor Operation\r\nMost SUNBURST victims were luckily not targeted by the attackers. This means that the backdoor never made it\r\npast \"STAGE1\" of the infection process. Nevertheless, the attackers did choose to proceed to \"STAGE2\" with\r\nsome victims. As explained in FireEye's blog post SUNBURST Additional Technical Details, the \"C2 coordinator\"\r\ncan proceed to the next stage by responding with a DNS A record pointing to an IP address within any of these\r\nthree ranges:\r\n18.130.0.0/16\r\n99.79.0.0/16\r\n184.72.0.0/15\r\nAccording to FireEye's \"Diagram of actor operations and usage of SUNBURST\", the decision to proceed to the\r\nnext stage is based upon whether or not the victim's internal AD domain is \"interesting to attack\".\r\nNote: \"STAGE2\" is referred to as \"associated mode\" in FireEye's blog post.\r\nSUNBURST backdoors that have entered STAGE2 will allow CNAME records in DNS responses to be used as\r\nnew C2 domains.\r\nhttps://netresec.com/?b=2113a6a\r\nPage 1 of 6\n\nWe have discovered that the SUNBURST backdoor actually uses a single bit in the queried avsvmcloud.com\r\nsubdomain in order to flag that it has entered STAGE2 and is accepting new C2 domains in CNAME records. This\r\nbit is called flag, ext or dnssec in the malicious SUNBURST implant and can be extracted from DNS queries that\r\nhave an encoded timestamp, such as those indicating which security products that are installed.\r\nDetecting STAGE2 DNS Requests\r\nOur SunburstDomainDecoder tool has now been updated to include a \"STAGE2\" tag in the output for DNS\r\nqueries containing this stage 2 flag. This means that organizations like national CERTs, who perform incident\r\nresponse coordination and victim notification, can now use SunburstDomainDecoder in order to identify and\r\nnotify targeted SUNBURST victims that have entered STAGE2.\r\nHere's the output we get when feeding SunburstDomainDecoder with Bambenek's uniq-hostnames.txt passive\r\nDNS data and only displaying lines containing \"STAGE2\":\r\nSunburstDomainDecoder.exe \u003c uniq-hostnames.txt | findstr STAGE2\r\n22334A7227544B1E 2020-09-29T04:00:00.0000000Z,STAGE2 5qbtj04rcbp3tiq8bo6t\r\nFC07EB59E028D3EE 2020-06-13T09:00:00.0000000Z,STAGE2 6a57jk2ba1d9keg15cbg\r\n1D71011E992C3D68 2020-06-11T22:30:00.0000000Z,STAGE2 7sbvaemscs0mc925tb99\r\nF90BDDB47E495629 2020-06-13T08:30:00.0000000Z,STAGE2 gq1h856599gqh538acqn\r\nDB7DE5B93573A3F7 2020-06-20T02:30:00.0000000Z,STAGE2 ihvpgv9psvq02ffo77et\r\n3C327147876E6EA4 2020-07-22T17:00:00.0000000Z,STAGE2 k5kcubuassl3alrf7gm3\r\n3C327147876E6EA4 2020-07-23T18:30:00.0000000Z,STAGE2 mhdosoksaccf9sni9icp\r\n1D71011E992C3D68 central.pima.gov,STAGE2\r\nDB7DE5B93573A3F7 coxnet.cox.com,STAGE2,WindowsDefender\r\nF90BDDB47E495629 central.pima.gov,STAGE2\r\nMost of these subdomains are listed in FireEye's Indicator_Release_NBIs.csv file as having CNAME pointers to\r\nother SUNBURST C2 domains like: freescanonline[.]com, deftsecurity[.]com and thedoccloud[.]com. But the first\r\ndomain, with GUID 22334A7227544B1E, was actually not part of FireEye's IOC data.\r\nhttps://netresec.com/?b=2113a6a\r\nPage 2 of 6\n\nEven more STAGE2 domains and GUID values can be found by analyzing other passive DNS resources, such as\r\nthis passive DNS dump on pastebin by Rohit Bansal.\r\ncurl -s https://pastebin.com/raw/6EDgCKxd | SunburstDomainDecoder.exe | findstr STAGE2\r\nE258332529826721 2020-07-18T05:00:00.0000000Z,STAGE2 1dbecfd99ku6fi2e5fjb\r\n2039AFE13E5307A1 2020-05-30T14:30:00.0000000Z,STAGE2 4n4vte5gmor7j9lpegsf\r\n22334A7227544B1E 2020-09-29T04:00:00.0000000Z,STAGE2 5qbtj04rcbp3tiq8bo6t\r\nFC07EB59E028D3EE 2020-06-13T09:00:00.0000000Z,STAGE2 6a57jk2ba1d9keg15cbg\r\n1D71011E992C3D68 2020-06-11T22:30:00.0000000Z,STAGE2 7sbvaemscs0mc925tb99\r\n1D71011E992C3D68 2020-06-11T22:30:00.0000000Z,STAGE2 7sbvaemscs0mc925tb99\r\nF90BDDB47E495629 2020-06-13T08:30:00.0000000Z,STAGE2 gq1h856599gqh538acqn\r\nF90BDDB47E495629 2020-06-13T08:30:00.0000000Z,STAGE2 gq1h856599gqh538acqn\r\nDB7DE5B93573A3F7 2020-06-20T02:30:00.0000000Z,STAGE2 ihvpgv9psvq02ffo77et\r\nDB7DE5B93573A3F7 2020-06-20T02:30:00.0000000Z,STAGE2 ihvpgv9psvq02ffo77et\r\n3C327147876E6EA4 2020-07-23T18:30:00.0000000Z,STAGE2 mhdosoksaccf9sni9icp\r\nAfter removing the domains already present in FireEye's IOC we're left with the following FQDN's that have been\r\nrequested by SUNBURST backdoors in STAGE2:\r\n1dbecfd99ku6fi2e5fjb.appsync-api.us-east-1.avsvmcloud.com\r\n4n4vte5gmor7j9lpegsf.appsync-api.eu-west-1.avsvmcloud.com\r\n5qbtj04rcbp3tiq8bo6t.appsync-api.us-east-1.avsvmcloud.com\r\nUpdate January 7, 2021\r\nPaul Vixie kindly shared his SunburstDomainDecoder output on Twitter yesterday. Paul's results show that the\r\nvictim with GUID FC07EB59E028D3EE, which corresponds to the \"6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud[.]com\" CNAME entry in FireEye's IOC, was Pima County. This means that\r\n3C327147876E6EA4 is the only GUID among the CNAME records published by FireEye that cannot yet be tied\r\nto a victim organization. Paul's data also reveals two new STAGE2 victim GUIDs (65A28A36F24D379D and\r\n8D2267C5A00796DA).\r\nUpdate January 12, 2021\r\nWith help of SunburstDomainDecoder 1.9 and passive DNS data from Dancho Danchev we've been able to verify\r\nthat Palo Alto have installed the maliocous SUNBURST backdoor and that it entered into STAGE2 opreration on\r\nSeptember 29, 2020. Palo Alto's CEO Nikesh Arora has confirmed that they were hit by SUNBURST (or\r\n\"SolarStorm\" as they call it).\r\nUpdate January 25, 2021\r\nOn December 17 VriesHd tweeted a link to a Google Docs spreatsheet containing aggregated SUNBURST DNS\r\nrequest data.\r\nhttps://netresec.com/?b=2113a6a\r\nPage 3 of 6\n\nOne month later VriesHd made some substatial additions to the \"SB2\" spreadsheet, which by then contained\r\nseveral new STAGE2 victims. We have since then actively been trying to reach out to the targeted organizations,\r\neither directly or through CERT organizations, who perform incident response coordination and help with the\r\nvictim notification process. VriesHd's passive DNS collection has now been incorporated into the SUNBURST\r\nSTAGE2 Victim Table below.\r\nTargeted SUNBURST Victims\r\nHere's a summary of the STAGE2 beacons from SUNBURST victims that can be extracted from publicly\r\navailable data:\r\nGUID avsvmcloud.com Subdomain Timestamp (UTC) AD Domain\r\nFF1E34A864BCE106 dh1usc8287hr46bia74a 2020-05-14 14:30 nsanet.local\r\nE5E2AD2B6DE697D6 70fov85qclvubqhf9vlh 2020-05-16 19:30 cisco.com\r\nFF1E34A864BCE106 2die0g7i5kgkki628gaj 2020-05-18 11:30 nsanet.local\r\n3E8DF7FF13FC8D38 7hpaqi751fqoei2fdv8m 2020-05-18 16:30 HQ.FIDELIS\r\nFF1E34A864BCE106 tsem12v1rn620hatfol2 2020-05-20 14:30 nsanet.local\r\nFF1E34A864BCE106 a0hmuoveln2400sfvf6n 2020-05-20 16:30 nsanet.local\r\n0C1A5A27B297FE46 k0biaol9fc84ummfn7vi 2020-05-26 11:30 vgn.viasatgsd.com\r\nA887B592B7E5B550 m4apr0vu9qnomtun3b9t 2020-05-26 20:00 WincoreWindows.local\r\n2039AFE13E5307A1 4n4vte5gmor7j9lpegsf 2020-05-30 14:30 suk.sas.com\r\n06A4EA63C80EE24A 9q5jifedn8aflr4ge3nu 2020-05-31 12:00 scc.state.va.us\r\nhttps://netresec.com/?b=2113a6a\r\nPage 4 of 6\n\n9850F550BD1010F2 gth7uravpvaapoi86834 2020-05-31 20:00 lagnr.chevrontexaco.net\r\nE5E2AD2B6DE697D6 8k56mm0b876uvf5e7rd3 2020-06-01 19:00 cisco.com\r\n2039AFE13E5307A1 laog1ushfp80e3f18cjg 2020-06-03 01:30 suk.sas.com\r\n06A4EA63C80EE24A ntlcvjpqc57t9kb8ac75 2020-06-03 23:30 scc.state.va.us\r\n1D71011E992C3D68 7sbvaemscs0mc925tb99 2020-06-11 22:30 central.pima.gov\r\nF90BDDB47E495629 gq1h856599gqh538acqn 2020-06-13 08:30 central.pima.gov\r\nFC07EB59E028D3EE 6a57jk2ba1d9keg15cbg 2020-06-13 09:00 central.pima.gov\r\n583141933D242B0D f25k66k5hu68fneu7ocd 2020-06-16 06:00 logitech.local\r\n52CE2BAFD69B2D0E f2co92njkm9od5eu7btg 2020-06-16 18:30 fc.gov\r\nFACC72E2207CD69F rkspr9a19fl8r5ipggi1 2020-06-17 01:00 fox.local\r\n3256C1BCAF74B5FC p0a7jjdp4eq9o2vok1mt 2020-06-18 07:00 ng.ds.army.mil\r\n92DC5436D54898CD lusq9mg6j1e3jii5f66o 2020-06-18 17:30 ddsn.gov\r\nDB7DE5B93573A3F7 ihvpgv9psvq02ffo77et 2020-06-20 02:30 coxnet.cox.com\r\n59956D687A42F160 o49qi0qbfm37o6jul639 2020-06-23 06:00 wctc.msft\r\n123EDA14721C3602 p5iokg3v9tntqcbo77p2 2020-06-29 08:30 scc.state.va.us\r\n123EDA14721C3602 84v0j8kkbvqf8ntt4o9f 2020-06-30 10:30 scc.state.va.us\r\n2F52CFFCD8993B63 0tvuasje2vc2i2413m6i 2020-07-01 16:30 mgt.srb.europa*\r\n65A28A36F24D379D 7u32o0m6ureci8h5eo6k 2020-07-02 01:00\r\n2F52CFFCD8993B63 en1clufg22h2uca27ro3 2020-07-03 06:00 mgt.srb.europa*\r\n2F52CFFCD8993B63 s2r15kp335mnlq65i6ce 2020-07-03 09:00 mgt.srb.europa*\r\nDB4013DDA16F6A40 up1vj67jjj9tpvceu7ak 2020-07-08 01:00 los.local\r\n123EDA14721C3602 l0vos8o9m5p3m8of7g96 2020-07-10 22:00 scc.state.va.us\r\nE5E2AD2B6DE697D6 8kr7r16da442u75egv1s 2020-07-15 14:00 cisco.com\r\nA13731B17632C726 ttj6cro8jm6cfma8noo7 2020-07-17 12:30 phpds.org\r\nE5E2AD2B6DE697D6 gh1so69rl1sgrgf38gr5 2020-07-17 15:00 cisco.com\r\nE258332529826721 1dbecfd99ku6fi2e5fjb 2020-07-18 05:00\r\n123EDA14721C3602 epm95unblvj984s2ovqh 2020-07-22 11:00 scc.state.va.us\r\nhttps://netresec.com/?b=2113a6a\r\nPage 5 of 6\n\n3C327147876E6EA4 k5kcubuassl3alrf7gm3 2020-07-22 17:00 corp.qualys.com\r\n3C327147876E6EA4 mhdosoksaccf9sni9icp 2020-07-23 18:30 corp.qualys.com\r\nF2C9AC93206ABF47 onpqb88oq440lq82p7lb 2020-07-24 05:00 jpso.gov\r\n123EDA14721C3602 0qthjq50jbdvnjq16o8f 2020-07-27 17:00 scc.state.va.us\r\n123EDA14721C3602 gu6r7k260p6afq3ticso 2020-07-28 17:30 scc.state.va.us\r\n936F78AB73AA3022 i4d2krbn2f92jo3uj8r9 2020-08-04 05:00 ggsg-us.cisco.com\r\n936F78AB73AA3022 et2gu9tg5ckrsvaj5bom 2020-08-05 06:00 ggsg-us.cisco.com\r\n22334A7227544B1E 5qbtj04rcbp3tiq8bo6t 2020-09-29 04:00 paloaltonetworks*\r\nSUNBURST STAGE2 Victim Table\r\nSources: John Bambenek, Joe Słowik, Rohit Bansal, Dancho Danchev , Paul Vixie, FireEye and VriesHd.\r\nIdentifying More SUNBURST STAGE2 Victims\r\nCompanies and organizations with access to more passive DNS resources will hopefully be able to use\r\nSunburstDomainDecoder to identify additional targeted SUNBURST victims that have progressed to STAGE2.\r\nDownload SunburstDomainDecoder\r\nOur tool SunburstDomainDecoder is released under a Creative Commons CC-BY license, and can be downloaded\r\nhere:\r\nhttps://www.netresec.com/files/SunburstDomainDecoder.zip\r\nYou can also read more about SunburstDomainDecoder in our blog post Reassembling Victim Domain Fragments\r\nfrom SUNBURST DNS.\r\nPosted by Erik Hjelmvik on Monday, 04 January 2021 21:11:00 (UTC/GMT)\r\nTags: #Netresec#pDNS#SUNBURST#SolarWinds#Solorigate#SunburstDomainDecoder#SolarStorm#STAGE2\r\n#avsvmcloud#C2\r\nSource: https://netresec.com/?b=2113a6a\r\nhttps://netresec.com/?b=2113a6a\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://netresec.com/?b=2113a6a" ], "report_names": [ "?b=2113a6a" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434149, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db32004ee00ba0bb804ad1363b34ba6a11bf73f8.pdf", "text": "https://archive.orkl.eu/db32004ee00ba0bb804ad1363b34ba6a11bf73f8.txt", "img": "https://archive.orkl.eu/db32004ee00ba0bb804ad1363b34ba6a11bf73f8.jpg" } }