A second backdoor discovered on infected SolarWinds systems

A second backdoor discovered on infected SolarWinds systems

While analyzing the recent SolarWinds supply-chain attack security researchers have found a second backdoor, suggesting involvement of another hacker group, unrelated to the suspected government-backed threat actor that compromised SolarWinds to taint its official Orion software with malware.

Tracked as Supernova, the backdoor is a webshell injected into SolarWinds Orion code that would allow threat actors to execute arbitrary code on systems running the compromised version of Orion. Supernova web shell was used to download, compile and execute a malicious Powershell script (dubbed CosmicGale by some researchers). Additionally, Supernova does not have a digital signature, unlike the initially discovered Sunburst/Solarigate malware that trojanized the SolarWinds.Orion.Core.BusinessLayer.Dll library, which may indicate that there is a second hacker group at work.

Security firms Guidepoint, Symantec, and Palo Alto Network released reports with technical details on Supernova.

According to Palo Alto, the webshell is a malicious version of a legitimate .NET library (app_web_logoimagehandler.ashx.b6031896.dll) present in the Orion app, designed to allow it to stay hidden from automated defense mechanisms.

Orion software uses the DLL to expose an HTTP API, allowing the host to respond to other subsystems when querying for a specific GIF image.

“SUPERNOVA differs dramatically in that it takes a valid .NET program as a parameter. The .NET class, method, arguments and code data are compiled and executed in-memory. There are no additional forensic artifacts written to disk, unlike low-level webshell stagers, and there is no need for additional network callbacks other than the initial C2 request,” the researchers said. “In other words, the attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network. The attackers can then arbitrarily configure SolarWinds (and any local operating system feature on Windows exposed by the .NET SDK) with malicious C# code. The code is compiled on the fly during benign SolarWinds operation and is executed dynamically.”

Researchers have not been able to determine when the Supernova backdoor was first introduced in the Orion software.

Multiple researchers put together lists of organizations that had been affected by the SolarWinds supply-chain attack and had their internal systems infected with the Sunburst malware. The list include tech companies, local governments, universities, hospitals, banks, and telecom providers, with Cisco, SAP, Intel, VMWare, Cox Communications, Deloitte, Nvidia, Fujitsu, Belkin, Amerisafe, Lukoil, Rakuten, Check Point, Optimizely, Digital Reach, and Digital Sense to name a few.

Back to the list

Latest Posts

Cyber Security Week in Review: July 4, 2025

Cyber Security Week in Review: July 4, 2025

In brief: Google patches Chrome 0Day, the US is on the hunt for North Korean IT workers, and more.
4 July 2025
AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025