{
	"id": "036fba53-e99d-4c1b-8c26-f87db527f02b",
	"created_at": "2026-04-06T00:12:31.976216Z",
	"updated_at": "2026-04-10T13:12:02.778856Z",
	"deleted_at": null,
	"sha1_hash": "122c6c67de4138b4b7368d1d9102eb4fa69f833d",
	"title": "SolarMarker: Hunt Insights and Findings",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4246086,
	"plain_text": "SolarMarker: Hunt Insights and Findings\r\nPublished: 2024-05-30 · Archived: 2026-04-05 14:59:32 UTC\r\nIntroduction\r\nFollowing Recorded Future's (RF) report, \"Exploring the Depths of SolarMarker's Multi-tiered Infrastructure,\" the\r\nHunt Research Team leveraged the IOCs provided to discover a method of identifying clusters of SolarMarker\r\nservers in the wild.\r\nOur scanning has uncovered 20 servers we believe with moderate confidence are associated with SolarMarker.\r\nWhile the RF report extensively covers SolarMarker's info-stealing capabilities, our focus here will be on the\r\nmalware's infrastructure.\r\nWe will hold off on providing detection queries for SolarMarker servers for now. However, we will cover some\r\nobservations, including the threat actor's choice of hosting providers, reused SSH keys associated with over 100\r\nservers, and likely phishing domains consistent with SolarMarker targeting.\r\nOverview of Infrastructure\r\nMost of the servers we've identified align with the above report's configuration description for tier 1 servers\r\n(Nginx server, ports 22 \u0026 80). One IP deviated from this pattern using port 443 and a Let's Encrypt TLS\r\ncertificate.\r\nThe tier 1 servers are responsible for relaying victim data to higher-tier servers. The below image from the report\r\nprovides an example of SolarMarkers C2 infrastructure.\r\nhttps://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nPage 1 of 13\n\nImage 1: SolarMarker's Tiered Infrastructure (Source: Recorded Future, accessed 21 May 2024)\r\nSolarMarker Infrastructure in Hunt\r\nAs detailed in various blog posts and vendor reports, SolarMarker not only engages in information stealing but is\r\nalso capable of executing commands via a backdoor and utilizing hidden virtual network computing (hVNC).\r\nFigure 1 illustrates the most popular ports, hosting companies, and hosting locations based on our scans.\r\nhttps://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nPage 2 of 13\n\nFigure 1: Distribution of Popular Ports, Hosting Companies, and Hosting Locations for SolarMarker IPs\r\nIt should come as no surprise that port 80 constitutes the bulk of SolarMarker detections. Infected devices\r\ncommunicate via HTTP POST requests on this port.\r\nIf you track malicious infrastructure, you are likely familiar with the M247 network. This ASN accounts for the\r\nmajority of our findings across SolarMarker's infrastructure. Most of the malicious servers are located in Europe,\r\nwith the U.S. following closely behind, which again aligns with threat reporting.\r\nFigure 2 shows a snippet of the IPs readily available to Hunt users for deeper analysis.\r\nThe Insikt Group identified many of the servers shown in the image. However, we have also found a few that have\r\nnot been publicly reported.\r\nhttps://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nPage 3 of 13\n\nFigure 2: Snippet of SolarMarker Associated IP Addresses\r\nFindings and Observations\r\nOur first notable finding is that, although many servers operate on the M247 Europe SRL ASN, these servers are\r\nhosted on different subsidiaries, such as the one shown in Figure 3, hosted at M247 LTD Paris Infrastructure.\r\nThe threat actor's choice to use different M247 European subsidiaries, such as M247 Europe SRL, appears to be a\r\nstrategic decision aligned with their targeting objectives. This approach could allow for targeting victims in\r\nspecific regions by blending in so as not to raise the suspicions of network defenders.\r\nConversely, the preference for M247, a network known to host malicious content, may reflect the threat actor's\r\ntactic of leveraging a reliable and familiar infrastructure to maintain and expand their operations.\r\nIn either case, using various subsidiaries showcases a deliberate tactic in infrastructure management. This strategy\r\npotentially enhances the actor's ability to evade detection and sustain their malicious activities across multiple\r\nregions.\r\nhttps://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nPage 4 of 13\n\nFigure 3: SolarMarker Servers Hosted on M247 Subsidiaries\r\nAdditional M247 locations were observed in Stockholm, Amsterdam, Copenhagen, and Zurich.\r\nThe Oddball\r\nOut of the 20 results for SolarMarker infrastructure, our query found only one IP that did not use the standard port\r\n80. The IP, 146.70.40_234, has a C2 configuration match on port 443 and has ports 22, 80, and 3306 open.\r\nThis IP hosts a Let's Encrypt TLS certificate with the domain barekaz[.]com as the issuer common name.\r\nhttps://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nPage 5 of 13\n\nFigure 4: Suspected SolarMarker Infrastructure on Port 443\r\nFigure 5 shows data for the certificate, including the JA4X hash and fingerprints.\r\nFigure 5: TLS Certificate for 146.70.40_234\r\nhttps://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nPage 6 of 13\n\nLittle information was available for the domain, and attempts to contact it resulted in an HTTP 404 Not Found\r\nerror.\r\nFigure 6: 404 Error For Certificate Domain\r\nWith an infrastructure of multiple tiers that handle various infection operations, a lone individual is unlikely to\r\nconduct server management.\r\nThe actor maintained solid operational security (OPSEC) by using separate SSH keys for many of the C2 servers,\r\nexcept for one instance. One of those servers, 217.138.215_79, hosted an SSH key that we pivoted on and found\r\nover 100 other servers using the same key.\r\nThe below view is an example of using the \"Associations\" tab in Hunt.\r\nhttps://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nPage 7 of 13\n\nFigure 7: Snippet of IPs Sharing the Same SSH Keys\r\nSimilarly, the SSH History tab provides detailed information, including the SSH version, first and last seen\r\ndates/times, and similar IPs.\r\nThis particular instance uses SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1.\r\nhttps://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nPage 8 of 13\n\nFigure 8: Screenshot of SSH History tab in Hunt\r\nWe won't cover all 100+ servers, but we will examine a few that caught my eye during the research and are still\r\nactive as of this writing.\r\nSliver \u0026 Raccoon Stealer\r\nIP addresses 185.17.40_153 and 146.70.106_171 hosted instances of the open-source adversary emulation\r\nframework Sliver (https://github.com/BishopFox/sliver) during the same period as the shared SSH key.\r\nIn early 2023, the IP ending in .171 also hosted Raccoon Stealer on port 80. We will use the History feature to\r\nexamine the timeline of the ports and services to understand how they overlap.\r\n*The SSH hash beginning with \"354408...\" is the shared key.\r\nhttps://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nPage 9 of 13\n\nFigure 9: SSH Associated IP Hosting Sliver and Raccoon Stealer\r\nFigure 10: SSH Associated IP Hosting Sliver\r\nInteresting Domains\r\nhttps://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nPage 10 of 13\n\nFigure 11: Domain previously Associated With Lycantrox Infrastructure\r\ngrvnews.live was previously identified as associated with Lycantrox infrastructure, as detailed in this SEKOIA\r\nblog post: https://blog.sekoia.io/active-lycantrox-infrastructure-illumination/.\r\nHunt first detected the SSH key on the server in July 2023, and according to PDNS records, the domain began\r\nresolving to the IP shortly after that in August.\r\nIt is important to clarify that this is not an attempt to link Lycantrox and SolarMarker but to highlight different\r\nactors' reuse of IP addresses.\r\nInterac Spoofed Domain\r\n188.116.34_204 currently hosts two domains, interac-financial[.]com and colminek[.]com. The former is likely an\r\nattempt to impersonate a legitimate Canadian company that facilitates electronic financial transactions between\r\nbusinesses and banks.\r\nFigure 12: IP Hosting Likely Phishing Domain\r\nSimilar to the previously mentioned domain, this domain also returns a 404 error.\r\nE-Payment Provider Spoofed Domain\r\nhttps://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nPage 11 of 13\n\nThree domains were found on IP address 2.58.15_58: mail.myfawry[.]net, myfawry[.]net, and\r\nwww.myfawry[.]net. These domains are likely attempting to spoof Fawry, an e-payment and digital finance\r\nsolutions provider in Egypt. In an ongoing theme, all three domains return a 404 error.\r\nFigure 13: SSH Key Linked IP Hosting Suspicious Domains\r\nWe have some work to do with so many IPs to pivot on for the shared SSH key. If we find anything significant,\r\nwe'll consider an additional blog post or post on X to keep the community informed.\r\nPlease follow our X/Twitter account, @Huntio, to stay updated on our findings and future blogs.\r\nWrap-Up\r\nIn this blog post, we explored SolarMarker's infrastructure, uncovering key IP addresses, domains, and server\r\nconfigurations associated with the malware. Our findings revealed intriguing patterns, such as the reuse of IP\r\naddresses and SSH keys by different threat actors and the strategic use of various hosting providers.\r\nJoin us in uncovering more\r\nlinks to SolarMarker\r\nApply for an account today and gain access to our comprehensive tools and scan data to detect and mitigate the\r\nthreat SolarMarker poses.\r\nApply Now\r\nIndicators\r\nSolarMarker IP Addresses\r\n2.58.14_183\r\nhttps://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nPage 12 of 13\n\nSolarMarker IP Addresses\r\n2.58.15_58\r\n2.58.15_214\r\n23.29.115_186\r\n45.86.163_163\r\n46.17.96_139\r\n46.30.188_221\r\n68.233.238_123\r\n78.135.73_176\r\n146.70.40_234\r\n146.70.71_135\r\n146.70.80_66\r\n146.70.80_83\r\n146.70.145_242\r\n185.243.115_88\r\n193.29.104_25\r\n212_237.217_133\r\n217.138.215_79\r\n217.138.215_105\r\nSSH Key SHA-256 Fingerprint\r\nVktfcw/Kyybnc6sIHBv3WSdmVZzb3/4QFfxUUfPCEQ4=\r\nTLS Cert SHA-256 Fingerprint\r\nefbfbd6116690a61efbfbd601f6c0cefbfbd58efbfbd0e4e582c3fefbfbd30efbfbd36efbfbd6a27\r\nSource: https://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nhttps://hunt.io/blog/solarmarker-hunt-insight-and-findings\r\nPage 13 of 13\n\nThe Oddball Out of the 20 results for SolarMarker infrastructure, our query found only one IP that did not use the standard port\n80. The IP, 146.70.40_234, has a C2 configuration match on port 443 and has ports 22, 80, and 3306 open.\nThis IP hosts a Let's Encrypt TLS certificate with the domain barekaz[.]com as the issuer common name.\n   Page 5 of 13   \n\n  https://hunt.io/blog/solarmarker-hunt-insight-and-findings  \nFigure 9: SSH Associated IP Hosting Sliver and Raccoon Stealer\nFigure 10: SSH Associated IP Hosting Sliver  \nInteresting Domains   \n   Page 10 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hunt.io/blog/solarmarker-hunt-insight-and-findings"
	],
	"report_names": [
		"solarmarker-hunt-insight-and-findings"
	],
	"threat_actors": [],
	"ts_created_at": 1775434351,
	"ts_updated_at": 1775826722,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/122c6c67de4138b4b7368d1d9102eb4fa69f833d.pdf",
		"text": "https://archive.orkl.eu/122c6c67de4138b4b7368d1d9102eb4fa69f833d.txt",
		"img": "https://archive.orkl.eu/122c6c67de4138b4b7368d1d9102eb4fa69f833d.jpg"
	}
}