SUPERNOVA is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of APT29's SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests SUPERNOVA may have been used by the China-based threat group SPIRAL.[1][2][3][4][5]

ID: S0578
Platforms: Windows
Version: 1.1
Created: 18 February 2021
Last Modified: 10 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

SUPERNOVA had to receive an HTTP GET request containing a specific set of parameters in order to execute.[1][2]

Enterprise T1203 Exploitation for Client Execution

SUPERNOVA was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148).[6][7]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

SUPERNOVA has masqueraded as a legitimate SolarWinds DLL.[1][2]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

SUPERNOVA contained Base64-encoded strings.[4]

Enterprise T1505 .003 Server Software Component: Web Shell

SUPERNOVA is a Web shell.[2][1][4]