TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.[1][2]

ID: S0560
Platforms: Windows
Version: 1.2
Created: 06 January 2021
Last Modified: 27 March 2023

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 Create or Modify System Process: Windows Service

TEARDROP ran as a Windows service from the c:\windows\syswow64 folder.[3][1]

Enterprise T1140 Deobfuscate/Decode Files or Information

TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.[1][3][2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

TEARDROP files had names that resembled legitimate Window file and directory names.[1][2]

Enterprise T1112 Modify Registry

TEARDROP modified the Registry to create a Windows service for itself on a compromised host.[3]

Enterprise T1027 Obfuscated Files or Information

TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.[1][3][2]

Enterprise T1012 Query Registry

TEARDROP checked that HKU\SOFTWARE\Microsoft\CTF existed before decoding its embedded payload.[1][2]

Groups That Use This Software

ID Name References
G0016 APT29



ID Name Description
C0024 SolarWinds Compromise