S0560: TEARDROP
TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.[1][2]
Analyst context for executives and security teams
TEARDROP matters because it is described by ATT&CK as a Windows, memory-only dropper observed during SolarWinds Compromise investigations. For leaders, the key issue is not just this specific malware name; it is whether the organization can investigate stealthy second-stage activity that may leave limited file evidence and may rely on registry activity, service abuse, obfuscation, and in-memory execution patterns.
Executive priority
Prioritize TEARDROP as a readiness test for high-consequence intrusion response: can security teams prove what happened on Windows systems when malware is memory-only, tied to a major supply-chain campaign, and associated with APT29 in ATT&CK reporting? Executives should ask whether endpoint telemetry, registry/service auditing, incident response retention, and historical investigation procedures are sufficient to support confident decisions during a supply-chain or advanced intrusion investigation.
Technical view
ATT&CK provides no official detection text for TEARDROP, so SOC and IR teams should validate coverage through the related behaviors: Query Registry, Modify Registry, Windows Service creation or modification, Obfuscated Files or Information, Deobfuscate/Decode Files or Information, and naming or placement that matches legitimate resources. Because the malware is described as memory-only and Windows-based, teams should not rely only on file-based detections; they should confirm endpoint visibility into process behavior, service configuration changes, registry access/modification, and suspicious in-memory execution indicators.
Likely telemetry
- Windows endpoint detection and response telemetry
- Process execution and parent/child process context
- Windows Registry query and modification events
- Windows service creation, modification, and configuration-change events
- Command-line and script execution logs where available
Detection direction
- Validate detections for unusual registry querying and registry modification on Windows hosts, especially when paired with suspicious process or service activity.
- Tune monitoring for new or modified Windows services, including service path changes and service names or locations that resemble legitimate resources.
- Review whether obfuscation and deobfuscation behaviors are detected behaviorally rather than only by static file signatures.
- Test investigation workflows for memory-only malware scenarios where disk artifacts may be limited.
- Use the SolarWinds Compromise and APT29 relationships as threat-intelligence context, not as proof of current activity in the local environment.
Mitigation priorities
- Strengthen Windows endpoint visibility before relying on malware-name detection, since ATT&CK provides no TEARDROP-specific detection guidance.
- Limit and monitor permissions that allow service creation, service modification, and sensitive registry changes.
- Maintain change-control evidence for legitimate service and registry modifications to support faster triage.
- Ensure incident response playbooks include volatile-data and endpoint-timeline collection for memory-only malware investigations.
- For organizations with SolarWinds-related historical exposure or response obligations, preserve and review relevant host telemetry and investigation records where available.
Analyst notes and limits
The strongest decision value is to treat TEARDROP as a coverage and response-readiness scenario for stealthy Windows second-stage malware associated in ATT&CK with the SolarWinds Compromise and likely APT29 use since at least May 2020. The relationship-mapped techniques provide the practical detection anchors: registry activity, service abuse, obfuscation/deobfuscation, and legitimate-looking resource naming.
ATT&CK does not provide official detection guidance, malware tactics, aliases, or detailed procedure steps in the supplied fields. This take does not assert active exploitation, local exposure, or guaranteed detection. Local endpoint telemetry, historical SolarWinds investigation scope, and asset context are required to determine relevance and coverage.
TEARDROP
TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1012 | Query Registry | TEARDROP checked that |
| Enterprise | T1027 | Obfuscated Files or Information | TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.CitationFireEye SUNBURST Backdoor December 2020CitationCheck Point Sunburst Teardrop December 2020CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1112 | Modify Registry | TEARDROP modified the Registry to create a Windows service for itself on a compromised host.CitationCheck Point Sunburst Teardrop December 2020 |
| Enterprise | T1543.003 | Windows Service Sub-technique | TEARDROP ran as a Windows service from the |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | TEARDROP files had names that resembled legitimate Window file and directory names.CitationFireEye SUNBURST Backdoor December 2020CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.CitationFireEye SUNBURST Backdoor December 2020CitationCheck Point Sunburst Teardrop December 2020CitationMicrosoft Deep Dive Solorigate January 2021 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 68d3d6a37ea9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye SUNBURST Backdoor December 2020
FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
Open source URL -
[2]
Microsoft Deep Dive Solorigate January 2021
MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
Open source URL -
[3]
mitre-attack S0560Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.