{ "id": "c5442adc-1adf-4443-ab48-2458b579ff28", "created_at": "2026-04-06T00:18:07.33316Z", "updated_at": "2026-04-10T03:37:33.169234Z", "deleted_at": null, "sha1_hash": "e83af6e9e8ade363940c7d74c1f3856801901ece", "title": "Robust Indicators of Compromise for SUNBURST", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 396590, "plain_text": "Robust Indicators of Compromise for SUNBURST\r\nBy Erik Hjelmvik\r\nPublished: 2021-01-11 · Archived: 2026-04-05 14:20:19 UTC\r\n, \r\nMonday, 11 January 2021 10:30:00 (UTC/GMT)\r\nThere has been a great deal of confusion regarding what network based Indicators of Compromise (IOC)\r\nSolarWinds Orion customers can use to self assess whether or not they have been targeted after having installed a\r\nsoftware update with the SUNBURST backdoor. Many of the published IOCs only indicate that a backdoored\r\nSolarWinds Orion update has been installed, but the question that many security teams are trying to answer is\r\nwhether or not the installed backdoor has been been used by the threat actor.\r\nDont trust everything you read!\r\nThere is a widespread misunderstanding that receiving a so-called “NetBios” DNS A record (for example an\r\naddress in 8.18.144.0/23) in response to a *.avsvmcloud.com DNS query would mean that you’ve been targeted.\r\nOur analysis of the decompiled SUNBURST code and passive DNS data show that that receiving a “NetBios”\r\nresponse does not necessarily mean that the client has been targeted. Unfortunately this misunderstanding has lead\r\nto various sensationalist stories being published with long lists of companies and organizations that are claimed to\r\nbe “singled out by the hacking group for the second stage of the attack”, “explicitly selected by the SolarWinds\r\nhackers for further activities” or “breached via SolarWinds and then specifically targeted by the hackers for\r\nadditional internal compromise”.\r\nAnother common misunderstanding is that clients sending *.avsvmcloud.com DNS queries with encoded\r\ntimestamps, and optionally a list of installed/running AV products, have been actively targeted. Our analysis of the\r\ndecompiled SUNBURST code show that the timestamped “Pings” or AV service status reports get exfiltrated in\r\nhttps://netresec.com/?b=211f30f\r\nPage 1 of 3\n\nDNS traffic after the client’s internal AD domain has been sent, but before the perpetrators decide whether or not\r\nthey want to activate the backdoor.\r\nIndicators of a Targeted Attack\r\nSo what network based IOC’s can incident responders, blue teams and SOC analysts use in order to see if they\r\nhave been targeted by the SUNBURST operators?\r\nThe following network based events indicate that a client has been actively targeted and the SUNBURST\r\nbackdoor has progressed beyond the initial mode of operation:\r\nReceived a DNS A record for an *.avsvmcloud.com query, that points to an IP address in any of the\r\nfollowing three networks: 18.130.0.0/16, 99.79.0.0/16 or 184.72.0.0/15\r\nSent an *.avsvmcloud.com DNS query with the STAGE2 flag encoded in the subdomain.\r\nReceived a CNAME record for a query to *.avsvmcloud.com\r\nThese three indicators are DNS based, so organizations will need to have a full historical backlog of DNS\r\ntransactions ranging back to April 2020 in order to use them reliably.\r\nAnother network based IOC is HTTPS communication to one of the known STAGE3 C2 domains. However,\r\nplease note that the C2 domain list might not be complete. It is even possible that a unique C2 domain is used for\r\neach victim. Nevertheless, here’s a list of the SUNBURST STAGE3 C2 domains we are currently aware of:\r\navsvmcloud[.]com\r\ndatabasegalore[.]com\r\ndeftsecurity[.]com\r\ndigitalcollege[.]org\r\nfreescanonline[.]com\r\nglobalnetworkissues[.]com\r\nhighdatabase[.]com\r\nincomeupdate[.]com\r\nkubecloud[.]com\r\nlcomputers[.]com\r\nmobilnweb[.]com\r\npanhardware[.]com\r\nseobundlekit[.]com\r\nsolartrackingsystem[.]net\r\nthedoccloud[.]com\r\nvirtualwebdata[.]com\r\nwebcodez[.]com\r\nwebsitetheme[.]com\r\nzupertech[.]com\r\nPalo Alto was a Targeted SUNBURST Victim\r\nhttps://netresec.com/?b=211f30f\r\nPage 2 of 3\n\nWe can now verify that Palo Alto was among the targeted SUNBURST victims, because their DNS request for\r\n\"5qbtj04rcbp3tiq8bo6t.appsync.api.us.east.1.avsvmcloud.com\" contains an encoded STAGE2 flag. The attack\r\ntook place on September 29 at around 04:00 UTC, according to the timestamp that was also encoded into the\r\navsvmcloud subdomain.\r\nImage: Parsing passive DNS data from Dancho Danchev with SunburstDomainDecoder v1.9 and filtering on\r\nGUID “22334A7227544B1E”.\r\nPalo Alto's CEO Nikesh Arora has confirmed that they were hit by SUNBURST (or \"SolarStorm\" as they call it),\r\nbut they don’t provide much details. Here’s what Nikesh wrote on December 17:\r\nRecently, we experienced an attempt to download Cobalt Strike on one of our IT SolarWinds servers.\r\n[...]\r\nWe thought this was an isolated incident, however, on Dec. 13, we became aware that the SolarWinds\r\nsoftware supply chain was compromised and it became clear that the incident we prevented was an\r\nattempted SolarStorm attack.\r\nOur SUNBURST STAGE2 Victim Table has now been updated to include Palo Alto along side the other targeted\r\nvictims.\r\nPosted by Erik Hjelmvik on Monday, 11 January 2021 10:30:00 (UTC/GMT)\r\nTags: #SUNBURST#IOC#SolarWinds#SolarStorm#avsvmcloud#STAGE2#DNS#CNAME#avsvmcloud.com\r\n#Cobalt Strike#DNS#FireEye\r\nSource: https://netresec.com/?b=211f30f\r\nhttps://netresec.com/?b=211f30f\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://netresec.com/?b=211f30f" ], "report_names": [ "?b=211f30f" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434687, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e83af6e9e8ade363940c7d74c1f3856801901ece.pdf", "text": "https://archive.orkl.eu/e83af6e9e8ade363940c7d74c1f3856801901ece.txt", "img": "https://archive.orkl.eu/e83af6e9e8ade363940c7d74c1f3856801901ece.jpg" } }