Loader
TEARDROP
First seen: 2020 • Status: inactive
Currently Inactive
TEARDROP was a sneaky loader that hid attack tools inside images and never touched the hard drive.
Overview
TEARDROP was a memory-only dropper used in the SolarWinds attack to deploy Cobalt Strike. It used steganography and operated entirely in memory.
Also Known As
Raindrop, Beacon loader
How It Spreads
- • SUNBURST deployment
- • Post-compromise tool
What It Does
- • Memory-only operation
- • Cobalt Strike delivery
- • Steganography
- • Detection evasion
Is your business exposed?
Target Platforms
Windows
Detection Tips
- • Memory forensics required
- • Monitor for Cobalt Strike indicators
- • Part of SUNBURST investigation
MITRE ATT&CK Techniques
T1055, T1027, T1001, T1105
If You're Infected
- 1.
Conduct memory forensics
- 2.
Hunt for Cobalt Strike beacons
- 3.
Part of SolarWinds remediation
Related Malware
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required