SUNBURST
SUNBURST is a trojanized, digitally signed SolarWinds Orion DLL backdoor distributed through compromised Orion software updates in the 2020 SolarWinds supply-chain compromise. It was inserted into Orion’s source/build process and pushed via SolarWinds’ auto-update mechanism, with reporting indicating compromised releases were distributed between roughly March and June 2020 and that nearly 18,000 customers may have received the malicious update. The malware is also tracked as Solorigate by Microsoft. It has been associated with the threat actor tracked as UNC2452 by FireEye and later as NOBELIUM by Microsoft; multiple reports in the content also link the broader campaign to APT29/Cozy Bear/SVR-related activity.
Functionally, SUNBURST provides remote backdoor access into victim environments and was used as an initial foothold for selective follow-on intrusion activity. FireEye reported the compromises were not self-propagating and required careful planning and manual interaction. The malware has been described as capable of delivering a memory-only dropper named TEARDROP, which in turn was observed delivering Cobalt Strike Beacon and other malware. Microsoft reported that the Orion foothold was used to gain elevated credentials and, in some cases, access trusted SAML token-signing certificates to impersonate users, including highly privileged accounts.
Behaviorally, SUNBURST is designed for stealth. It reportedly delays execution for approximately 12 to 14 days before activating, disguises command-and-control traffic as Orion Improvement Program traffic, and uses Base64 encoding in C2 communications. After passing internal checks, it generates runtime C2 URLs that resolve to subdomains of avsvmcloud[.]com. FireEye identified a killswitch in the malware tied to avsvmcloud[.]com resolution behavior; sinkholing that domain caused some infections still beaconing to it to terminate, but did not remove additional persistence already established by the actor.
The malware performs extensive environment and defense-evasion checks before fully executing. It queries running processes, services, and drivers against hardcoded hashed blocklists and may exit if blacklisted security or analysis tooling is present. It uses the WMI query "Select * From Win32_SystemDriver" to enumerate drivers, and reporting specifically notes blacklist entries including SentinelMonitor.sys and other security-related drivers. It attempted to disable software security services after checking a hardcoded FNV-1a + XOR hashed blocklist, including by modifying service registry Start values to 4. It also collected the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid from compromised hosts and removed HTTP proxy registry values to clean up traces of execution.
Additional hunting and forensic details directly mentioned in the content include execution within businesslayerhost.exe, a weaponized OrionImprovementBusinessLayer class in the SolarWinds.Orion.Core.BusinessLayer namespace, the named pipe 583da945-62af-10e8-4902-a8f205c72b2e, and network traffic to subdomains of avsvmcloud[.]com. The malware was distributed to a broad customer base, but follow-on exploitation was selective; reported victim sectors included government, consulting, technology, telecom, and extractive organizations across North America, Europe, Asia, and the Middle East, with public reporting also naming multiple U.S. government agencies among affected entities.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The threat actor inserted malicious software into Solarwinds’ development environment, infecting Orion’s source code with the SUNBURST malware. The compromised build was pushed to customers as an update to their existing Orion installations, deploying SUNBURST into customer environments.
The threat actor inserted malicious software into Solarwinds’ development environment, infecting Orion’s source code with the SUNBURST malware. The compromised build was pushed to customers as an update to their existing Orion installations, deploying SUNBURST into customer environments.
the company's software by inserting the Sunburst malware into some updates for the SolarWinds Orion app
A second one is the Sunburst (Solorigate) backdoor malware deployed by the SolarWinds hackers on the systems of organizations who installed trojanized Orion builds via the platform's built-in automatic update mechanism.
...attackers leveraging the trust associated with SolarWinds Orion software to infiltrate government agencies and other companies so as to deploy a custom malware codenamed "Sunburst."
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniquesWe have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain. This compromise is delivered through updates to a widely-used IT infrastructure management software—the Orion network monitoring product from SolarWinds.
Use of malicious SolarWinds update : Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment
State-sponsored threat actors have demonstrated their ability to compromise service providers such as MSPs as a method of infiltrating the supply chain of organizations of strategic interest, establishing persistence, and securing access to downstream targets.
Malwarebytes said its intrusion is not related to the SolarWinds supply chain incident since the company doesn't use any of SolarWinds software in its internal network.
Execution
4 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
'After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye researchers are calling Sunburst.'
That intrusion involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for some 18,000 users of its Orion network management software...
Persistence
2 techniquesNeoichor can clear the browser history on a compromised host by changing the ClearBrowsingHistoryOnExit value to 1 in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy Registry key.
Privilege Escalation
1 techniqueStealth
9 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
RedCurl mimicked legitimate file names and scheduled tasks, e.g. MicrosoftCurrentupdatesCheck and MdMMaintenenceTask to mask malicious files and scheduled tasks.
Bisonal has deleted Registry keys to clean up its prior activity. FIN8 has deleted Registry keys during post compromise cleanup activities. SUNBURST also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
CSPY Downloader has the ability to remove values it writes to the Registry.
This is one of multiple stealth capabilities that helped the operation go undetected for so long, along with a two-week dormancy period...
Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.
Defense Impairment
1 techniqueDiscovery
5 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
SUNBURST then communicated with the threat actors, who would verify that the accessed environment had information of value worth exfiltrating.
This is one of multiple stealth capabilities that helped the operation go undetected for so long, along with a two-week dormancy period...
Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.
Collection
1 techniqueThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
Command and Control
4 techniquesused by the SolarWinds hackers to communicate with systems compromised by the backdoored Orion product updates | a key domain name — avsvmcloud[.]com — that was used by the SolarWinds hackers to communicate with systems compromised by the backdoored Orion product updates
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
The source said the intruders behind the SolarWinds compromise seeded the AO’s network with a second stage “Teardrop” malware that went beyond the “Sunburst” malicious software update...
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
Other
1 techniqueIOCs tracked for this family
143 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
116 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor implanted into Trojanized SolarWinds Orion software updates that beaconed to attacker-controlled C2 infrastructure, enabled remote access, and could facilitate delivery of additional malware and data exfiltration.
Backdoor malware injected into trojanized SolarWinds Orion updates and distributed through signed software updates.
Referenced in supporting material about the Solorigate intrusion chain; SUNBURST is a backdoor associated with the second-stage activation discussed in the cited material.
Sunburst is a backdoor associated with the SolarWinds supply chain compromise. In this content it is identified via loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com, indicating potential unauthorized access, data exfiltration, and further system compromise.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.