How the SolarWinds Supply Chain Attack Could Have Been Prevented Using MetaDefender™ Sandbox

The SolarWinds supply chain attack was enabled through the compromise of a legitimate DLL used in the Orion IT management platform (SolarWinds.Orion.Core.BusinessLayer.dll). Threat actors stealthily modified this component by embedding malicious code directly into it.

What appeared to be a minor, harmless change, with a few inconspicuous lines in a familiar codebase, ended up introducing a significant threat. This DLL was part of a widely deployed platform used by both public and private sector organizations, making the attack’s reach unprecedented.

Hidden within the compromised DLL was a fully functional backdoor, crafted from roughly 4,000 lines of code. This code granted the attackers covert access to affected systems, enabling persistent control over victim networks without raising alarms.

One of the most critical aspects of this attack was its placement within the software build process itself. The tampered DLL carried a valid digital signature, indicating that the attackers had infiltrated SolarWinds’ software development or distribution infrastructure. This made the malicious code appear trustworthy and allowed it to execute privileged actions without triggering standard security controls.

To maintain stealth, the attackers avoided disrupting the DLL's original functionality. The injected payload consisted of a lightweight modification: it launched a new method in a separate thread, ensuring the host application's behavior remained unchanged. The method call was embedded into an existing function, RefreshInternal, but executed in parallel to avoid detection.

The backdoor logic resided in a class named OrionImprovementBusinessLayer, a name chosen deliberately to resemble legitimate components. This class housed the entirety of the malicious logic, including 13 internal classes and 16 functions. All strings were obfuscated, making static analysis significantly more difficult.

Unlike VM-based sandboxes that are easy to evade, MetaDefender Sandbox uses instruction-level emulation and adaptive threat analysis. This allows it to uncover hidden behaviors even when attackers try to disguise them.

A sandbox plays a crucial role in uncovering this type of attack. Even though the malicious DLL is digitally signed and carefully crafted to mimic legitimate behavior, a sandbox can detect the inserted backdoor by analyzing anomalies at the binary level.

YARA rules and reputation checks have been intentionally disabled for this sandbox scan to simulate the original conditions of the SolarWinds attack, as neither were available at that time.

Before runtime, Sandbox disassembles binaries to extract embedded logic. In SolarWinds’ case, it would have flagged:

• The large 1096-byte static array used to stage process hashes.
• Compressed + base64-encoded strings typical of malware.
• The unusual OrionImprovementBusinessLayer class and its obfuscated functions.

MetaDefender Sandbox 2.4.0 specifically addresses tactics used in SolarWinds:

• Expose memory-only payloads → Detects code that never writes to disk.
• Control flow deobfuscation for .NET → Perfect for unpacking obfuscated DLLs like Orion.
• Automated Base64 decoding → Unmasks the encrypted strings attackers used.

The latest release adds capabilities that directly map to SolarWinds-like threats:

• Memory-Only Payload Exposure → Would have revealed SolarWinds’ stealthy in-memory execution.
• Packed Malware Unpacking → Identifies staged payloads hidden inside static arrays.
• Pseudo-Reconstructed Binaries → Allows analysts to see a full picture of obfuscated DLLs.
• Enhanced YARA & Config Extraction → Would extract malware configurations despite encryption.
• .NET Loader Unpacking → Directly relevant to the Orion DLL’s obfuscated .NET logic.

While we began writing this article, a new campaign against the supply chain in the npm ecosystem was made public (npm is a JavaScript package manager included with Node.js, which allows JavaScript to run outside the browser.). This recent campaign involved a self-replicating worm called “Shai-Hulud,” which managed to compromise hundreds of software packages. This incident was analyzed in detail in the OPSWAT publication “From Dune to npm: Shai-Hulud Worm Redefines Supply Chain Risk”.

However, this new campaign is particularly relevant in the context of this article, as it also demonstrates that MetaDefender Sandbox's detection capabilities are up-to-date and effective against supply chain compromises. See our report for the malicious file bundle.js, which detects the download of libraries using obfuscated code, labeling this activity as “Likely malicious.”

a. Suspicious obfuscated class name (OrionImprovementBusinessLayer).

b. Large static arrays linked to hash values.

c. Encrypted Base64 strings.

a. WMI system queries.

b. Attempted privilege escalation calls.

c. Creation of hidden threads outside Orion’s main workflow.

The SolarWinds breach was a wake-up call, but supply chain attacks continue to rise. According to the 2025 OPSWAT Threat Landscape Report, critical infrastructure remains a top target, and file-based, obfuscated loaders are increasingly common.

MetaDefender Sandbox provides defenders with: