TEARDROP
TEARDROP is a previously unknown, memory-only Windows dropper discovered during investigations into the 2020 SolarWinds supply-chain compromise. It was used as a second-stage/post-exploitation payload following SUNBURST/Solorigate activity and was observed deploying customized Cobalt Strike Beacon payloads; reporting also notes TEARDROP or RAINDROP backdoors were used for follow-on access, domain enumeration, and collection/exfiltration via hands-on-keyboard activity. TEARDROP was associated with the threat actor tracked as UNC2452 by FireEye and as NOBELIUM by Microsoft; broader reporting also links the operation to APT29/Cozy Bear/The Dukes. It has been described as running as a Windows service, including from C:\Windows\SysWOW64, and in FireEye reporting was associated with C:\Windows\SYSWOW64\netsetupsvc.dll. TEARDROP loaded executable code directly into memory without leaving an on-disk payload, read payload data from gracious_truth.jpg, checked for the existence of HKU\SOFTWARE\Microsoft\CTF before decoding its embedded payload, used a custom rolling XOR algorithm to decode that payload, and manually loaded it with a custom PE-like loader. High-confidence indicators and artifacts mentioned in the content include the service-based execution, the path C:\Windows\SYSWOW64\netsetupsvc.dll, the file gracious_truth.jpg, and the registry check for HKU\SOFTWARE\Microsoft\CTF. The malware is specifically tied to selected SolarWinds victims that received second-stage tooling over HTTP/HTTPS after initial SUNBURST compromise.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
If further actions were taken, TEARDROP or RAINDROP backdoors would be deployed, which would install a customized Cobalt Strike beacon in the environment, enumerating the domain and allowing for the collection and exfiltration of information of value using hands-on-keyboard techniques.
If further actions were taken, TEARDROP or RAINDROP backdoors would be deployed, which would install a customized Cobalt Strike beacon in the environment, enumerating the domain and allowing for the collection and exfiltration of information of value using hands-on-keyboard techniques.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
3 techniques
Initial Access
We assess that threat actors will almost certainly continue to develop their capability to compromise organizations through supply chains as an alternative to direct action against a target’s network defences.
State-sponsored threat actors have demonstrated their ability to compromise service providers such as MSPs as a method of infiltrating the supply chain of organizations of strategic interest, establishing persistence, and securing access to downstream targets.
Execution
2 techniques
Execution
Persistence
3 techniques
Persistence
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Privilege Escalation
3 techniques
Privilege Escalation
MITRE ATT&CK Mappings: APT29 Privilege Escalation T1055: Process Injection .002: Portable Executable Injection
Stealth
8 techniques
Stealth
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
"SHOTPUT is obscured using XOR encoding and appended to a valid GIF file." / "TEARDROP created and read from a file with a fake JPG header" / "Ramsay has base64-encoded its portable executable and hidden itself under a JPG header."
JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer. Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. TEARDROP created and read from a file with a fake JPG header.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
MITRE ATT&CK Mappings: APT29 Privilege Escalation T1055: Process Injection .002: Portable Executable Injection
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
Defense Impairment
1 technique
Defense Impairment
Credential Access
2 techniques
Credential Access
Discovery
2 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
Collection
1 technique
Collection
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
41 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Second-stage malware delivered in the SUNBURST campaign for selected victims, alongside Cobalt Strike Beacon over HTTP/HTTPS C2.
Referenced in supporting material as part of the Solorigate second-stage malware chain from SUNBURST to TEARDROP and RAINDROP.
Memory-only dropper delivered by SUNBURST and used to deploy Cobalt Strike Beacon and potentially other backdoors.
Malware referenced as part of the Solorigate intrusion chain; the content only mentions it through a cited reference and does not describe its behavior further.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.