S0565: Raindrop
Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was discovered in January 2021 and was likely used since at least May 2020.[1][2]
Analyst context for executives and security teams
Raindrop matters because MITRE describes it as a Windows loader used by APT29 and discovered during SolarWinds Compromise investigations. For leaders, the key issue is not just a malware name; it is whether the organization can find stealthy second-stage tooling that may arrive after a trusted software or identity-driven intrusion path has already succeeded.
Executive priority
Treat this as a readiness and assurance problem tied to high-consequence intrusion response. Executives should ask whether Windows endpoint telemetry, software inventory, and incident response procedures can support retrospective hunting for rare loaders, masqueraded files, packed or encoded artifacts, and supply-chain-related compromise evidence. It is also useful for audit and board reporting because it tests whether the organization can investigate stealth techniques when MITRE provides no ready-made detection guidance.
Technical view
MITRE provides no official detection text for Raindrop, so SOC and IR teams should validate coverage through the related ATT&CK techniques: Software Packing, Steganography, Encrypted/Encoded File, Masquerading, Match Legitimate Resource Name or Location, Deobfuscate/Decode Files or Information, and Time Based Checks. Focus validation on Windows systems, especially detection logic for rare or newly observed executables, suspicious file naming or placement, encoded or packed content, runtime deobfuscation behavior, and sandbox evasion indicators involving time checks. Relationship context to the SolarWinds Compromise and APT29 should be used for prioritization, not as proof of current activity in any local environment.
Likely telemetry
- Windows endpoint process execution and parent/child process telemetry
- File creation, modification, path, name, metadata, and hash telemetry
- Endpoint security or EDR observations for packed, encoded, or obfuscated files
- Memory or runtime behavior showing unpacking, decoding, or payload loading
- Sandbox or malware analysis logs, including time-delay or time-check behavior
Detection direction
- Build detections around the related stealth behaviors rather than relying only on a Raindrop-specific signature.
- Hunt for legitimate-looking file names or locations that do not match expected publisher, path, hash, prevalence, or asset role.
- Tune packed/encoded-file alerts carefully because legitimate commercial software may also use packing or encoding.
- Do not rely solely on sandbox detonation; the related Time Based Checks technique indicates analysis environments may be detected or delayed.
- Use SolarWinds Compromise and APT29 relationship context to prioritize historical hunts, but require local telemetry before drawing incident conclusions.
Mitigation priorities
- Confirm Windows endpoint logging and EDR retention are sufficient for retrospective loader and masquerading hunts.
- Maintain accurate software and asset inventory so legitimate resource names, locations, and update paths can be baselined.
- Use controlled software execution and change-control practices to reduce unauthorized loader execution where operationally feasible.
- Prepare IR playbooks for stealthy second-stage malware found after a trusted software or identity compromise investigation.
- Preserve forensic evidence for packed, encoded, or deobfuscated artifacts so malware analysis can validate detections.
Analyst notes and limits
The strongest decision value is readiness validation: Raindrop is tied by MITRE to APT29 and the SolarWinds Compromise, and its related techniques emphasize stealth and analysis resistance. Detection engineering should therefore measure behavioral coverage across obfuscation, masquerading, decoding, and time-check behaviors instead of expecting complete coverage from a single malware indicator.
The supplied ATT&CK object has no official detection guidance, no explicit tactics on the malware object, and only Windows as the listed platform. This take does not assert active exploitation, current exposure, or guaranteed detection. Local endpoint, inventory, and investigation evidence is required to determine relevance in a specific environment.
Raindrop
Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was discovered in January 2021 and was likely used since at least May 2020.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1497.003 | Time Based Checks Sub-technique | After initial installation, Raindrop runs a computation to delay execution.CitationSymantec RAINDROP January 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.CitationSymantec RAINDROP January 2021CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.CitationSymantec RAINDROP January 2021CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1036 | Masquerading | Raindrop was built to include a modified version of 7-Zip source code (including associated export names) and Far Manager source code.CitationSymantec RAINDROP January 2021CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Raindrop was installed under names that resembled legitimate Windows file and directory names.CitationSymantec RAINDROP January 2021CitationMicrosoft Deep Dive Solorigate January 2021 |
| Enterprise | T1027.003 | Steganography Sub-technique | Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.CitationSymantec RAINDROP January 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.CitationSymantec RAINDROP January 2021CitationMicrosoft Deep Dive Solorigate January 2021 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 60469fc23c2a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec RAINDROP January 2021
Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
Open source URL -
[2]
Microsoft Deep Dive Solorigate January 2021
MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
Open source URL -
[3]
Raindrop
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
-
[4]
mitre-attack S0565Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.