Skip to main content
Microsoft Security Intelligence
Published May 26, 2021 | Updated Jun 02, 2021


Detected by Microsoft Defender Antivirus

Aliases: No associated aliases


Microsoft Defender Antivirus detects and removes this threat.

This threat is a custom Cobalt Strike Beacon loader DLL that is delivered through a malicious ISO file to the target's computer. It is distributed through a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoorTEARDROP malwareGoldMax malware, and other related components.

Read the following blogs for details:

Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat..

To help reduce the impact of this threat, you can:   

  • Contact your incident response team and start the incident response process. If you don't have one, contact Microsoft support for investigation and remediation services.
  • Immediately isolate the affected device. If malicious code has been launched, it is likely that the device is under complete attacker control.
  • Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
  • Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
  • Scope the incident. Find related devices, network addresses, and files in the incident graph.
  • Contain and mitigate the breach. Stop suspicious processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

Follow us