TEARDROP
TEARDROP is a previously unknown memory-only dropper and post-exploitation malware associated with the 2020 SolarWinds Orion supply-chain compromise. It was observed as a second-stage payload delivered after SUNBURST/Solorigate activity and was used to deploy customized Cobalt Strike Beacon, with some reporting also noting delivery of other malware. FireEye described it as a novel in-memory dropper with no code overlap to previously seen malware. TEARDROP has been attributed in the broader campaign to the actor tracked as UNC2452 and by Microsoft as NOBELIUM; the activity is also associated with APT29/Cozy Bear/The Dukes.
High-confidence behavior described in the source material includes execution as a Windows service, spawning a thread, reading payload data from a file such as gracious_truth.jpg, checking for the registry key HKU\SOFTWARE\Microsoft\CTF before decoding its embedded payload, decoding that payload with a custom rolling XOR algorithm, and manually loading the decoded payload into memory using a custom PE-like loader without leaving an on-disk payload. TEARDROP was observed running from or associated with C:\Windows\SysWOW64\netsetupsvc.dll, and reporting states it modified the registry to create a Windows service for persistence/execution on a compromised host.
Within the SolarWinds intrusion chain, TEARDROP was used after compromise of SolarWinds Orion environments to enable follow-on hands-on-keyboard activity, including deployment of Cobalt Strike for lateral movement and further intrusion operations. It is explicitly referenced alongside other malware families used in the campaign, including SUNBURST, RAINDROP, GoldMax, Sibot, and GoldFinder. The malware is tied to victim environments affected by the SolarWinds compromise, including U.S. government and private-sector targets; broader reporting on the actor identifies targeting of government, NGOs, think tanks, military, IT service providers, health technology and research organizations, and telecommunications providers. Reported host indicators and artifacts include the registry path HKU\SOFTWARE\Microsoft\CTF, the DLL path C:\Windows\SysWOW64\netsetupsvc.dll, and the file gracious_truth.jpg used to hold encoded payload data.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
If further actions were taken, TEARDROP or RAINDROP backdoors would be deployed, which would install a customized Cobalt Strike beacon in the environment, enumerating the domain and allowing for the collection and exfiltration of information of value using hands-on-keyboard techniques.
If further actions were taken, TEARDROP or RAINDROP backdoors would be deployed, which would install a customized Cobalt Strike beacon in the environment, enumerating the domain and allowing for the collection and exfiltration of information of value using hands-on-keyboard techniques.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueFor the SolarWinds Compromise, APT29 used numerous pieces of malware that were likely developed for or by the group, including SUNBURST, SUNSPOT, Raindrop, and TEARDROP.
Initial Access
4 techniquesWe assess that threat actors will almost certainly continue to develop their capability to compromise organizations through supply chains as an alternative to direct action against a target’s network defences.
State-sponsored threat actors have demonstrated their ability to compromise service providers such as MSPs as a method of infiltrating the supply chain of organizations of strategic interest, establishing persistence, and securing access to downstream targets.
"It is distributed through a wide-scale malicious email campaign operated by NOBELIUM"
“On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs…”
Execution
2 techniquesThis week, VA officials told reporters there are currently no signs the hackers took advantage of the backdoor in their network, which was unwittingly installed by roughly 18,000 SolarWinds clients this year.
MITRE ATT&CK® Techniques... System Services: Service Execution [T1569.002]
Persistence
3 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Catchamas creates three Registry keys to establish persistence by adding a Windows Service; TEARDROP modified the Registry to create a Windows service for itself; NightClub set the ServiceDLL for a service created by the malware.
Privilege Escalation
3 techniquesMITRE ATT&CK Mappings: APT29 Privilege Escalation T1055: Process Injection .002: Portable Executable Injection
Catchamas creates three Registry keys to establish persistence by adding a Windows Service; TEARDROP modified the Registry to create a Windows service for itself; NightClub set the ServiceDLL for a service created by the malware.
Stealth
8 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
"SHOTPUT is obscured using XOR encoding and appended to a valid GIF file." / "TEARDROP created and read from a file with a fake JPG header" / "Ramsay has base64-encoded its portable executable and hidden itself under a JPG header."
JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer. Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. TEARDROP created and read from a file with a fake JPG header.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
MITRE ATT&CK Mappings: APT29 Privilege Escalation T1055: Process Injection .002: Portable Executable Injection
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
“...lateral movement using Windows Management Instrumentation (WMI) to run the attacker’s payload using the Rundll32.exe process.”
Leveraging memory-only droppers to deploy Cobalt Strike BEACON and potentially other backdoors.
Defense Impairment
1 techniqueCredential Access
2 techniquesThe malware deployed into the Orion Platform, known as Teardrop, was highly sophisticated, according to experts, and in addition to harvesting users’ credentials and monitoring their keystrokes...
The malware deployed into the Orion Platform, known as Teardrop, was highly sophisticated, according to experts, and in addition to harvesting users’ credentials and monitoring their keystrokes...
Discovery
2 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
TEARDROP or RAINDROP backdoors would be deployed, which would install a customized Cobalt Strike beacon in the environment, enumerating the domain and allowing for the collection and exfiltration of information of value.
Collection
1 techniqueCommand and Control
2 techniquesMITRE ATT&CK® Techniques... Application Layer Protocol: Web Protocols [T1071.001]
This dropper then requested the download and execution of the second-stage WINELOADER.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
39 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced in supporting material as part of the Solorigate second-stage malware chain from SUNBURST to TEARDROP and RAINDROP.
Memory-only dropper delivered by SUNBURST and used to deploy Cobalt Strike Beacon and potentially other backdoors.
Malware referenced as part of the Solorigate intrusion chain; the content only mentions it through a cited reference and does not describe its behavior further.
A memory-only dropper used in conjunction with SUNBURST to deploy Cobalt Strike Beacon.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.