Skip to content


TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.12

Item Value
ID S0560
Associated Names
Version 1.2
Created 06 January 2021
Last Modified 27 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service TEARDROP ran as a Windows service from the c:\windows\syswow64 folder.31
enterprise T1140 Deobfuscate/Decode Files or Information TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.132
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location TEARDROP files had names that resembled legitimate Window file and directory names.12
enterprise T1112 Modify Registry TEARDROP modified the Registry to create a Windows service for itself on a compromised host.3
enterprise T1027 Obfuscated Files or Information TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.132
enterprise T1012 Query Registry TEARDROP checked that HKU\SOFTWARE\Microsoft\CTF existed before decoding its embedded payload.12

Groups That Use This Software

ID Name References
G0016 APT29 15679108