SUNBURST
SUNBURST is a trojanized DLL backdoor inserted into SolarWinds Orion software updates as part of the 2020 SolarWinds supply-chain compromise. It was integrated into the Orion update framework after attackers compromised SolarWinds’ development/build environment and infected Orion source code; the malicious builds were digitally signed by SolarWinds and distributed to customers between approximately March and June 2020. The malware is also referred to as Solorigate, but SUNBURST is the most widely used name in the provided reporting.
The malware provided remote access and command-and-control capability in victim environments and was used as an initial foothold for follow-on intrusion activity. It communicated with third-party command-and-control infrastructure over HTTP using GET and POST requests, used Base64 encoding in its C2 traffic, and generated runtime C2 traffic to subdomains of avsvmcloud[.]com. FireEye reported a killswitch associated with avsvmcloud[.]com that could cause SUNBURST to terminate under certain conditions, though this did not remove threat actors from networks where additional persistence had already been established.
SUNBURST was designed for stealth and selective execution. Reporting states it delayed execution for roughly 12 to 14 days, would not execute unless the host was joined to a domain, and would not execute if its C2 domain resolved to a private IP address. It performed extensive environment checks for analysis and security tooling, including process, service, and driver blacklist checks using hardcoded hashed values. It queried WMI with "Select * From Win32_SystemDriver" to retrieve driver listings, and attempted to disable software security services after checking a hardcoded FNV-1a + XOR hashed blocklist. It also removed HTTP proxy registry values to clean up traces of execution.
Observed host reconnaissance included collecting the username from compromised hosts and reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid. The malware’s execution chain included a named pipe, 583da945-62af-10e8-4902-a8f205c72b2e, after its dormant period. A weaponized Orion DLL could be identified by an injected OrionImprovementBusinessLayer class in the SolarWinds.Orion.Core.BusinessLayer namespace.
SUNBURST is associated in the provided content with the SolarWinds compromise and with the threat actor tracked as UNC2452 by FireEye and later named NOBELIUM by Microsoft; public reporting also linked the campaign to APT29/Cozy Bear/Russian SVR. The malware was used against public- and private-sector victims globally, including government, consulting, technology, telecom, and extractive organizations, with reporting noting major impact across U.S. government agencies and other high-value targets. The content also states SUNBURST had capability to deliver the memory-only dropper TEARDROP, which was observed delivering Cobalt Strike Beacon and other malware.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Attackers will be retooling, so don’t anticipate finding specifics for SUNBURST malware.
The threat actor inserted malicious software into Solarwinds’ development environment, infecting Orion’s source code with the SUNBURST malware. The compromised build was pushed to customers as an update to their existing Orion installations, deploying SUNBURST into customer environments.
The threat actor inserted malicious software into Solarwinds’ development environment, infecting Orion’s source code with the SUNBURST malware. The compromised build was pushed to customers as an update to their existing Orion installations, deploying SUNBURST into customer environments.
the company's software by inserting the Sunburst malware into some updates for the SolarWinds Orion app
A second one is the Sunburst (Solorigate) backdoor malware deployed by the SolarWinds hackers on the systems of organizations who installed trojanized Orion builds via the platform's built-in automatic update mechanism.
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
5 techniques
Initial Access
Supply chain attacks are not common and the SolarWinds Supply-Chain Attack is one of the most potentially damaging attacks we’ve seen in recent memory.
In this case, they were actually deploying it through SolarWinds own distribution channels.
Use of malicious SolarWinds update : Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment
State-sponsored threat actors have demonstrated their ability to compromise service providers such as MSPs as a method of infiltrating the supply chain of organizations of strategic interest, establishing persistence, and securing access to downstream targets.
Execution
4 techniques
Execution
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
'After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye researchers are calling Sunburst.'
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
11 techniques
Stealth
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
RedCurl mimicked legitimate file names and scheduled tasks, e.g. MicrosoftCurrentupdatesCheck and MdMMaintenenceTask to mask malicious files and scheduled tasks.
Bisonal has deleted Registry keys to clean up its prior activity. FIN8 has deleted Registry keys during post compromise cleanup activities. SUNBURST also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
CSPY Downloader has the ability to remove values it writes to the Registry.
SolarWinds has published limited information in which they state they believe the build environment was compromised.
This effectively prevents the use of malware sandboxes or other instrumented environments to detect it.
unless the machine is joined to a domain, the malware will not execute.
Defense Impairment
1 technique
Defense Impairment
Discovery
9 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
SUNBURST then communicated with the threat actors, who would verify that the accessed environment had information of value worth exfiltrating.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
This effectively prevents the use of malware sandboxes or other instrumented environments to detect it.
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
used by the SolarWinds hackers to communicate with systems compromised by the backdoored Orion product updates | a key domain name — avsvmcloud[.]com — that was used by the SolarWinds hackers to communicate with systems compromised by the backdoored Orion product updates
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
IOCs tracked for this family
143 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
119 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor implanted into Trojanized SolarWinds Orion software updates that beaconed to attacker-controlled C2 infrastructure, enabled remote access, and could facilitate delivery of additional malware and data exfiltration.
Backdoor malware injected into trojanized SolarWinds Orion updates and distributed through signed software updates.
Referenced in supporting material about the Solorigate intrusion chain; SUNBURST is a backdoor associated with the second-stage activation discussed in the cited material.
Sunburst is a backdoor associated with the SolarWinds supply chain compromise. In this content it is identified via loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com, indicating potential unauthorized access, data exfiltration, and further system compromise.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.