S0562: SUNSPOT
Analyst context for executives and security teams
SUNSPOT matters because it represents malware used to tamper with a software build process, injecting the SUNBURST backdoor into the SolarWinds Orion update framework. For leaders, the key lesson is not only malware removal; it is whether build systems, update pipelines, privileged developer workflows, and release integrity controls are monitored and defensible during an incident or audit.
Executive priority
Prioritize SUNSPOT as a supply-chain and software integrity risk. The ATT&CK relationship to the SolarWinds Compromise and Compromise Software Supply Chain means executives should ask whether critical software build environments are treated as high-value assets, whether release artifacts can be independently validated, and whether IR teams can investigate manipulation of build outputs, stored data, access tokens, files, and process activity on Windows systems.
Technical view
SUNSPOT is a Windows malware entry associated with APT29 and the SolarWinds Compromise. ATT&CK relationships map it to supply-chain compromise, obfuscation/deobfuscation, masquerading as legitimate resources, process and file discovery, native API use, access token manipulation, file deletion, execution guardrails including mutex use, and stored data manipulation. SOC and IR teams should validate visibility in build hosts and software update infrastructure, especially around unexpected process enumeration, file and directory discovery, suspicious file creation/deletion, token context changes, mutex or guardrail-like execution behavior, and integrity changes to build or release artifacts.
Likely telemetry
- Windows endpoint process creation and process lineage
- Windows file creation, modification, deletion, and directory enumeration evidence
- Build server and CI/CD pipeline logs
- Software artifact signing, hashing, and release validation records
- Access token, privilege context, and service account activity telemetry
Detection direction
- Do not rely on a single malware signature; ATT&CK provides no official detection text for this object.
- Validate monitoring around build systems specifically, not only end-user endpoints, because the supplied relationship centers on software build-process manipulation.
- Correlate discovery behaviors such as process discovery and file/directory discovery with unusual build-stage timing, privileged accounts, or unexpected binaries.
- Tune for masquerading and legitimate-looking resource names or locations, while accounting for normal developer tooling and build automation noise.
- Review evidence of file deletion and stored data manipulation as potential anti-forensic or integrity-impacting behavior.
Mitigation priorities
- Classify build servers, update infrastructure, signing systems, and release repositories as critical assets with enhanced logging and access review.
- Strengthen software supply-chain controls: artifact integrity checks, controlled release promotion, and independent validation of build outputs.
- Limit and monitor privileged service accounts and token use in build environments.
- Preserve forensic readiness for build hosts, including endpoint logs, file integrity records, and pipeline audit trails.
- Exercise IR scenarios involving malicious code insertion into a normal software update path.
Analyst notes and limits
The supplied ATT&CK object identifies SUNSPOT as the implant used to inject SUNBURST into the SolarWinds Orion software update framework, used by APT29 since at least February 2020, with relationship context to the SolarWinds Compromise. The most defensible security value is supply-chain assurance and build-environment monitoring rather than broad endpoint malware generalization.
ATT&CK provides no official detection text, aliases, labels, or explicit tactics for the SUNSPOT malware object. Technical recommendations are derived from the supplied relationships and must be validated against local architecture, especially whether the organization operates Windows-based build infrastructure or consumes affected-style software update mechanisms.
SUNSPOT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | SUNSPOT monitored running processes for instances of |
| Enterprise | T1134 | Access Token Manipulation | SUNSPOT modified its security token to grants itself debugging privileges by adding |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1027 | Obfuscated Files or Information | |
| Enterprise | T1565.001 | Stored Data Manipulation Sub-technique | SUNSPOT created a copy of the SolarWinds Orion software source file with a |
| Enterprise | T1083 | File and Directory Discovery | SUNSPOT enumerated the Orion software Visual Studio solution directory path.CitationCrowdStrike SUNSPOT Implant January 2021 |
| Enterprise | T1480 | Execution Guardrails | SUNSPOT only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values.CitationCrowdStrike SUNSPOT Implant January 2021 |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | |
| Enterprise | T1106 | Native API | |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | SUNSPOT creates a mutex using the hard-coded value ` {12d61a41-4b74-7610-a4d8-3028d2f56395}` to ensure that only one instance of itself is running.CitationCrowdStrike SUNSPOT Implant January 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | SUNSPOT was identified on disk with a filename of |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 9ffa29e2f9fa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CrowdStrike SUNSPOT Implant January 2021
CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
Open source URL -
[2]
SUNSPOT
(Citation: CrowdStrike SUNSPOT Implant January 2021)
-
[3]
mitre-attack S0562Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.