In a detailed analysis of the SUNSPOT malware, CrowdStrike outlines how it was used in a sophisticated supply chain attack on SolarWinds, a major network performance monitoring firm. The attack involved the insertion of the SUNBURST backdoor into the SolarWinds Orion platform, facilitated by the SUNSPOT malware, which meticulously replaced Orion's source code during its build process without alerting developers. SUNSPOT monitors running processes to identify when the Orion software is being built, then injects malicious code while ensuring operational security through various encryption techniques and logging practices. Despite the complex nature of the attack, CrowdStrike has not attributed it to any particular adversary but is tracking it under the StellarParticle cluster. The blog post thoroughly details the technical aspects of SUNSPOT, including its persistence mechanisms, encryption methods, and build hijacking procedures, emphasizing the high level of sophistication and planning involved in the attack.