S1166: Solar
Solar is a C#/.NET backdoor that was used by OilRig during the Outer Space campaign to download, execute, and exfiltrate files.[1]
Analyst context for executives and security teams
Solar is a Windows C#/.NET backdoor associated in ATT&CK with OilRig’s Outer Space campaign. Its business significance is not just malware presence; the related behaviors show a toolset for persistence, command-and-control, file download/execution, cleanup, and data exfiltration. Leaders should treat it as a test of whether Windows endpoint monitoring, egress visibility, and incident response evidence are strong enough to reconstruct what ran, what persisted, and what data may have left.
Executive priority
Prioritize this object where Windows systems support sensitive operations, regulated data, or supply-chain trust relationships. ATT&CK links Solar to OilRig, a group described as targeting government, energy, chemical, telecommunications, financial, and international victims, so threat intelligence teams can use it for relevance scoring without assuming local exposure. The executive question is whether the organization can prove, during an incident or audit, that scheduled-task persistence, suspicious outbound C2/exfiltration, file transfer, and file deletion activity would be collected and investigated quickly.
Technical view
Solar is documented as a Windows C#/.NET backdoor used to download, execute, and exfiltrate files. No official ATT&CK detection text is provided, so SOC validation should be relationship-driven: check coverage for Scheduled Task abuse (T1053.005), tool/file ingress (T1105), system information discovery (T1082), encoded or encrypted C2 traffic (T1132.001, T1573.001), exfiltration over C2 and automated exfiltration (T1041, T1020), and file deletion for cleanup (T1070.004). Detection engineering should correlate host execution, task creation or modification, file movement, deletion events, and outbound network sessions rather than relying on a single malware signature.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows Task Scheduler creation, modification, and execution records
- File creation, download, execution, access, and deletion events
- Endpoint evidence of C#/.NET execution where available
- Proxy, firewall, DNS, and network flow logs for outbound communications
Detection direction
- Validate that scheduled task monitoring captures both command-line and GUI/API-created tasks, with context on parent process, user, path, and trigger.
- Correlate suspicious task persistence with subsequent file download, execution, deletion, and outbound network activity.
- Tune for unusual outbound sessions from Windows hosts, especially where traffic patterns align with command-and-control plus file transfer or exfiltration behavior.
- Review whether standard encoding or symmetric encryption would blind content inspection; emphasize metadata, destination reputation, timing, volume, and endpoint correlation.
- Use OilRig and Outer Space context for threat hunting prioritization, but do not treat group association alone as proof of compromise.
Mitigation priorities
- Establish a baseline and approval process for Windows scheduled tasks on high-value systems.
- Limit unnecessary outbound connectivity and monitor exceptions for sensitive Windows endpoints.
- Harden endpoint controls around unauthorized file download, execution, and tool transfer activity.
- Preserve incident response evidence by ensuring endpoint, task scheduler, file, and network logs are retained long enough for reconstruction.
- Apply least-privilege administration so persistence mechanisms and file operations require appropriate authorization.
Analyst notes and limits
The most useful defensive framing is coverage validation: can the SOC connect persistence, execution, C2, transfer, exfiltration, and cleanup into one timeline on Windows hosts? The ATT&CK relationship to OilRig provides intelligence context for prioritization, especially for sectors and trust relationships noted in the group description, but local telemetry is required to determine relevance or exposure.
ATT&CK provides no official detection guidance for Solar, no aliases, and no malware tactics listed directly on the object. This take is derived from the official Solar description, its Windows platform, the cited ESET reference, and ATT&CK relationships to techniques and OilRig. It does not assert active exploitation, customer exposure, or guaranteed detection coverage.
Solar
Solar is a C#/.NET backdoor that was used by OilRig during the Outer Space campaign to download, execute, and exfiltrate files.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Solar can create scheduled tasks named Earth and Venus, which run every 30 and 40 seconds respectively, to support C2 and exfiltration.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | Solar has the ability to download and execute files.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1020 | Automated Exfiltration | Solar can automatically exfitrate files from compromised systems.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Solar can XOR encrypt C2 communications.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Solar can send staged files to C2 for exfiltration.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1082 | System Information Discovery | Solar can send basic information about the infected host to C2.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Solar has the ability to delete staged files after they are uploaded to C2.CitationESET OilRig Campaigns Sep 2023 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Solar can Base64-encode and gzip compress C2 communications including command outputs.CitationESET OilRig Campaigns Sep 2023 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
C0042: Outer Space
Outer Space was a campaign conducted by OilRig throughout 2021 that used the SampleCheck5000 downloader and Solar backdoor to target Israeli organizations.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4957cb1204f6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET OilRig Campaigns Sep 2023
Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
Open source URL -
[2]
mitre-attack S1166Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.