Microsoft Reveals 3 New Malware Variants of SolarWinds Cyberattack

Microsoft has revealed three newly found variants relating to the cyberattack. At the same time, it has also given the threat actor behind SolarWinds a specific tracking name: Nobelium.

The newly disclosed information provides more insight into the enormous cyberattack that claimed multiple US government agencies in its victim list.

Microsoft Reveals Multiple Malware Variants

In a recent post to its official Microsoft Security blog, the company revealed the discovery of three additional malware types relating to the SolarWinds cyberattack: GoldMax, Sibot, and GoldFinder.

Microsoft assesses that the newly surfaced pieces of malware were used by the actor to maintain persistence and perform actions on very specific and targeted networks post-compromise, even evading initial detection during incident response.

The new malware variants were used in the latter stages of the SolarWinds attack. According to the Microsoft security team, the new attack tools and malware types were found to be in use between August and September 2020 but may have “been on compromised systems as early as June 2020.”

Furthermore, these entirely new types of malware are “unique to this actor” and “tailor-made for specific networks,” while each variant has different capabilities.


GoldMax is written in Go and acts as a command and control backdoor that hides malicious activities on the target computer. As found with the SolarWinds attack, GoldMax can generate decoy network traffic to disguise its malicious network traffic, giving it the appearance of regular traffic.


Sibot is a VBScript-based dual-purpose malware that maintains a persistent presence on the target network and to download and execute a malicious payload. Microsoft notes that there are three variants of the Sibot malware, all of which have slightly different functionality.


This malware is also written in Go. Microsoft believes it was “used as a custom HTTP tracer tool” for logging server addresses and other infrastructure involved in the cyberattack.

There’s More to Come from SolarWinds

Although Microsoft believes the attack phase of SolarWinds is likely finished, more of the underlying infrastructure and malware variants involved in the attack are still waiting for discovery.

With this actor’s established pattern of using unique infrastructure and tooling for each target, and the operational value of maintaining their persistence on compromised networks, it is likely that additional components will be discovered as our investigation into the actions of this threat actor continues.

The revelation that more malware types and more infrastructure are yet to be found won’t come as a surprise to those tracking this ongoing saga. Recently, Microsoft revealed the SolarWinds second phase, detailing how the attackers accessed networks and maintained a presence for the lengthy period they remained undetected.

You might also like

Comments are closed.