Skip to content


SUPERNOVA is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of APT29‘s SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests SUPERNOVA may have been used by the China-based threat group SPIRAL.12345

Item Value
ID S0578
Associated Names
Version 1.0
Created 18 February 2021
Last Modified 23 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols SUPERNOVA had to receive an HTTP GET request containing a specific set of parameters in order to execute.12
enterprise T1203 Exploitation for Client Execution SUPERNOVA was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148).67
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location SUPERNOVA has masqueraded as a legitimate SolarWinds DLL.12
enterprise T1027 Obfuscated Files or Information SUPERNOVA contained Base64-encoded strings.4
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell SUPERNOVA is a Web shell.214