{ "id": "0381b40b-e49c-44eb-9222-f54e1e6b01c8", "created_at": "2026-04-06T00:06:45.644602Z", "updated_at": "2026-04-10T03:37:09.189626Z", "deleted_at": null, "sha1_hash": "16b788bdf4f40514bdc354d7c216b0e7fdcdeee4", "title": "eSentire Threat Intelligence Malware Analysis: SolarMarker", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3854118, "plain_text": "eSentire Threat Intelligence Malware Analysis: SolarMarker\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 20:20:26 UTC\r\nSince first emerging in 2020, SolarMarker (aka: Jupyter, Polazert, Yellow Cockatoo) remains one of the most successful\r\nmalware campaigns, relying heavily on social engineering through search engine optimization (SEO). SolarMarker has\r\nsignificantly developed its capabilities since it first appeared in the wild – from C2 communication that is challenging to\r\ndecrypt, to obfuscation that slows down malware analysis.\r\nSolarMarker has two major capabilities, it installs a backdoor or an infostealer as soon as the victim runs the payload.\r\nBoth SolarMarker’s modules can damage organizations as the backdoor can be leveraged by attacker(s) to deploy\r\nadditional malware or steal sensitive information.\r\nThis malware continues to remain active in the wild and researchers from Morphisec believe that it is the work of\r\nRussian-speaking actor(s). The first admin panel was found hosted on a Russian server Joint Stock company (JSC) \"ER-Telecom Holding\". The background image of Jupiter from the admin panel that the researchers reversed originating from\r\nforums containing Cyrillic.\r\neSentire has observed a significant increase in SolarMarker infections delivered via drive-by downloads.\r\nKey Takeaways:\r\nSolarMarker achieves persistence by creating a LNK file containing the encrypted backdoor or infostealer under\r\nStartup. The backdoor/infostealer then gets decrypted and loaded into memory as a PowerShell process.\r\nThe malware uses MSI (Windows installer package files) and executable (.exe) payloads that are over 200MB in\r\nsize to evade sandbox analysis. The eSentire Threat Response Unit (TRU) has recently observed that the\r\nattacker(s) switched to deliver more executable files rather than MSI.\r\nSolarMarker has the capability to fingerprint users’ browsers to prevent researchers from downloading multiple\r\npayloads for analysis.\r\nThe infostealer module includes the function responsible for decrypting DPAPI-protected data including browser\r\ncredentials and cookies.\r\nSolarMarker’s backdoor can retrieve additional malicious payloads from C2 channels using the get_file command.\r\nSolarMarker Technical Analysis\r\nDistribution\r\nThe initial infection occurs with the user visiting a malicious website that is stuffed with keywords to deceive search\r\nengines to get a higher search ranking (Exhibit 1).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 1 of 21\n\nExhibit 1: Malicious websites hosting the payload\r\nAt the time of this analysis, eSentire’s TRU team has observed that the malicious payload is delivered via two methods:\r\n1. Google Groups Pages\r\n2. Compromised WordPress webpages (the malicious download lures are uploaded through Formidable with the\r\nfollowing path \"/wp-content/uploads/formidable/\", which is the default file uploads page)\r\nThe example of the payload distribution via Google Groups Pages is shown in Exhibit 2.\r\nExhibit 2: Google Groups used to deliver the payload\r\nWe observed that the attacker(s) did a bulk upload of the payloads (501 files) on August 8, 2021 (Exhibit 3).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 2 of 21\n\nExhibit 3: 501 payloads were uploaded on the same day (8/8/2021)\r\nBelow is an example of a compromised WordPress website hosting the payload, the third page contains the keywords\r\nused for SEO poisoning (Exhibit 4).\r\nExhibit 4: Compromised WordPress webpage hosting a payload\r\nIf a targeted victim clicks on one of the two download options, they will get multiple redirects to different webpages\r\n(Exhibit 5) hosting the loading icon to make it look as if the webpage is legitimately generating a document for the user to\r\ndownload (Exhibit 6).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 3 of 21\n\nExhibit 5: Website redirects once the user clicks \"Download\" button\r\nExhibit 6: The \"loading\" page that gets parsed from different URLs\r\nThe end-user is presented with the fake Google Drive download page after all the redirects (Exhibits 7-8). The URL for\r\nthe final download page changes every time the user initiates a new download or clicks on a “Download” button. We have\r\nobserved that most of the domains used by SolarMarker threat actor(s) are hosted on Freenom. \r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 4 of 21\n\nExhibit 7: Example of a payload download page (1)\r\nExhibit 8: Example of a payload download page (2)\r\nFurther analysis by eSentire’s TRU team discovered the obfuscated JavaScript script embedded in the source code of the\r\ndownload page (Exhibit 9). One of the decryption functions has the name “h, u, n, t, e, r”. We were able to find the same\r\nobfuscation technique being reproduced by another security researcher.\r\nExhibit 9: Obfuscated script found in the source code\r\nThe de-obfuscated script (Exhibit 10) was responsible for redirecting the user to another URL if there is no interaction\r\nobserved from the user within a certain amount of time. The redirect URL appends the total number of mouse events from\r\nthe end-user after the “udh=” value. The URL appears to be empty from what we have observed.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 5 of 21\n\nExhibit 10: Deobfuscated script\r\nTRU has observed that the threat actor(s) replaced their Google Drive landing pages with a fake Microsoft page (Exhibit\r\n11).\r\nExhibit 11: Fake Microsoft landing page\r\nThreat actor(s) used the image from a PDF conversion software advertised on HiAppHere Market as a part of the landing\r\npage. The next page where the victim will be redirected to download the payload is also embedded within the landing\r\npage (the embedded URL is different each time the landing page is generated), as seen in Exhibit 12.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 6 of 21\n\nExhibit 12: Landing page source code\r\nHowever, attempting to download the payload twice from the same browser did not prove to be successful, so we worked\r\noff the hypothesis that there was a fingerprinting mechanism to prevent researchers from downloading payload samples.\r\nFurther analysis led to an interesting URL used in the iframe (an HTML element that embeds another HTML page within\r\nthe current one). The embedded URL contains FingerprintJS (browser fingerprinting library) JavaScript snippet that\r\nprovisions a visitor an identifier (Exhibit 13). Every visitor gets a unique visitorID hash value, which is calculated from\r\nmultiple browsers. The hash is identical for the same browser and the same device whether the user is visiting from\r\nIncognito (private) mode or not.\r\nAs such, the user is only able to download the payload once from the same browser.\r\nExhibit 13: Content of another embedded HTML page\r\nAfter we made a second attempt to download the payload, we acquired a file masquerading as a PDF and DOCX file\r\nfilled with gibberish data (Exhibit 14).\r\nExhibit 14: Downloaded files filled with gibberish data instead of a payload\r\nInfection\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 7 of 21\n\nAt the time of this analysis, the downloaded payloads analyzed are over 200MB in size and come in the form of EXE and\r\nMSI files. Most sandboxes have size limitations for the uploaded files. eSentire TRU assesses the chances as almost\r\ncertain that the SolarMarker payloads are compiled in large sizes for sandbox evasion.\r\nThe file we analyzed is a 32-bit executable (262 MB in size). The original name of the file is IOSdyabisytda.exe. We have\r\nbeen consistently observing that the threat actor(s) are using the same name for initial payloads.\r\nSHA-256: 85fb7076044071a28afb43bec12e4f8ce93525132b2ae512934529f9f09895a5\r\nThe compiled date is November 12, 2021.\r\nThe file is signed by DigiCert to Outer Join Srl. The eSentire TRU team has observed that SolarMarker is leveraging\r\nDigiCert and SSL.com for digital signatures. The payloads were seen to go under the following signer names:\r\nOOO LEVELAP\r\nOOO ENDI\r\nDecapolis Consulting Inc.\r\nDivertida Creative Limited\r\nZimmi Consulting Inc.\r\nWalden Intertech Inc.\r\nInterestingly, we found another sample on MalwareBazaar attributed to Arkei Stealer using Outer Join Srl for the signer's\r\nname. Both certificates for SolarMarker and Arkei Stealer were issued by DigiCert and were valid from 8/16/2021 to\r\n8/13/2022.\r\nUpon execution of the initial payload, the decoy file named with 8 random characters is created from the folder where the\r\npayload was downloaded to as well as under the path C:\\Users\\*\\AppData\\Roaming\\Free PDF Soulutions. The decoy file\r\nis disguised as PDF Merge software (Exhibit 15). The infection chain is shown in Exhibit 16.\r\nIn the past, we have observed that SolarMarker delivered Classic PDF Editor, Wondershare PDFelement, and PDFsam as\r\ndecoys.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 8 of 21\n\nExhibit 15: Decoy file (PDF Merge)\r\nExhibit 16: Infection chain\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 9 of 21\n\nExhibit 17: The function responsible for running a malicious PowerShell script\r\nIt is worth noting that the core functionality lays within the function that runs the PowerShell script shown in Exhibit 17.\r\n1. This command is responsible for converting letters to upper and lower cases.\r\n2. This command is responsible for creating a directory under %TEMP% folder.\r\n3. This command is responsible for creating a .LNK file that contains the encrypted backdoor or infostealer under\r\nStartup (persistence mechanism).\r\n4. This function is responsible for decrypting the SolarMarker backdoor using AES (Advanced Encryption Standard),\r\nalso known as Rijndael.\r\n5. This command is responsible for registering a file extension key (this is used so the file can be called out from a\r\nPowerShell script later).\r\n6. This command is responsible for writing the payload content and executing it.\r\nBelow, we will demonstrate how the aforementioned PowerShell script works.\r\nThe payload registers a randomly named extension key under Computer\\HKEY_CLASSES_ROOT\\ (Exhibit 18).\r\nExhibit 18: Registering an extension under HKCR\r\nThe file extension key is pointed to the handler key. The handler key contains the PowerShell command (Exhibit 19)\r\nresponsible for decrypting the payload located under a randomly named folder under %TEMP% directory (Exhibit 20).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 10 of 21\n\nExhibit 19: PowerShell command to decrypt the payload\r\nExhibit 20: The encrypted payload\r\nThe threat actor(s) changed their payload encryption and decryption methods to use AES. We have observed SolarMarker\r\ndecrypting the payload using the XOR key in the past (Figure 21).\r\nExhibit 21: Previous payload decryption mechanism used by SolarMarker\r\nAfter the payload is decrypted, the SolarMarker backdoor runs in memory under the powershell.exe process and reaches\r\nout to the C2 IP 146.70.53.153.\r\nSolarMarker comes in two different modules:\r\nSolarMarker Backdoor\r\nSolarMarker Infostealer\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 11 of 21\n\nSolarMarker Backdoor\r\nThus far, eSentire TRU has observed that the majority of SolarMarker deployments result in backdoor deployments as it\r\nprovides the threat actor(s) with the option to deliver additional payloads. The backdoors are obfuscated with .NET DLLs\r\n(Dynamic Link Libraries).\r\nIn April 2021, SolarMarker backdoors were relatively easy to spot (Exhibit 22). However, since April, the threat actor(s)\r\nhave further developed their capabilities to include extra layers of obfuscation to challenge security researchers\r\nconducting analyses (Exhibit 23).\r\nExhibit 22: SolarMarker backdoor observed in April 2021\r\nExhibit 23: SolarMarker backdoor observed most recently (March 2022)\r\nThe most recent backdoor (SHA-256: eeecc2bd75ec77db22de5c47efe1fbef63c6b310d34bac6e3b049eef7f86c90b) that\r\nwas compiled on April 4, 2022 came with more obfuscation and a bigger file size (578KB) than the previous backdoor we\r\nobserved in March 2022 (142KB).\r\nSolarMarker is encrypting all the traffic to C2 Servers using a hard-coded RSA key and a symmetric AES CBC (Cipher\r\nBlock Chaining) algorithm (Exhibit 24).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 12 of 21\n\nExhibit 24: Encrypted traffic\r\nThe hard-coded RSA key is obfuscated in the recent sample (Exhibit 25).\r\nExhibit 25: Obfuscated RSA key\r\nThe following are the examples of the hard-coded RSA keys from two recently analyzed samples.\r\nSample in March 2022:\r\n\u003cRSAKeyValue\u003e\r\n\u003cModulus\u003emiX5pqHHoi4bCmFMVXn011knsHqrax4gkkfzIRjmgoY+e3ZoZxGrv0iFR51Pfr2tC+L38rejzLcTQu1af/5gV8axXDvEtQOBcW\r\n\u003c/Modulus\u003e\r\n\u003cExponent\u003eAQAB\u003c/Exponent\u003e\r\n\u003c/RSAKeyValue\u003e\r\nSample in April 2022 (de-obfuscated):\r\n\u003cRSAKeyValue\u003e\r\n\u003cModulus\u003e1Jdz6XZ+pS1/3M6Ckgp80OODMqYyvFp7GY30flJPdAiNnsXg171wHz+rBtU5dHPCiEtHSf/Qh59ocgFPEMKcbsUErt1bmqcRcw\r\n\u003c/Modulus\u003e\r\n\u003cExponent\u003eAQAB\u003c/Exponent\u003e\r\n\u003c/RSAKeyValue\u003e\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 13 of 21\n\nThe backdoor conducts enumeration of the infected machine, and then exfiltrates the data in a JSON format to the C2\r\nServer. The following are the examples of the most recent JSONs being sent out to the C2:\r\n{\"action\":\"ping\",\"hwid\":\"91NUSI6GCG34GIUNY1LDBDXVC7F8ILXY\",\"pc_name\":\"\",\"os_name\":\"Win 10\",\"arch\":\"x64\",\"ri\r\n{\"action\":\"get_file\",\"hwid\":\"(),\"task_id\":\"(),\"protocol_version\":2}\r\n{\"action\":\"ping\",\"hwid\":\"98GIWW5X3CY8G90WAAYVL6595WE2H8UQ\",\"pc_name\":\" \",\"os_name\":\"Win 10\",\"arch\":\"x64\",\"r\r\nThe collected information includes machine name, OS version, system architecture (x64 or x86), user rights (Admin or\r\nUsers), workgroup, DNS, and protocol version. In addition, the following can be identified:\r\naction – commands sent from the C2 channel (e.g., command get_file to retrieve additional payloads from C2)\r\nhwid – a unique victim’s ID\r\nversion – version of SolarMarker backdoor\r\ntask_id – is likely assigned by the C2 to mark the ID for the specific task\r\nThe following pattern identifies the status from the C2 (“file” or “idle”). The status file means the C2 is going to send the\r\npayload to the infected machine that can be either an executable (.exe) or a PowerShell script (.ps1). The additional\r\npayloads will be written to the %TEMP% folder. The payload also appends a unique base64-encoded hash that is different\r\nfor each communication between the C2 Server and infected machine.\r\n{\"status\": \"idle\", \"uniq_hash\": \"J3FutDyWOcLByw==\"}\r\nThe command value is used to invoke the fetched PowerShell script from C2 (Exhibit 26).\r\nExhibit 26: The function responsible for invoking a PowerShell script via \"command\" value\r\nSolarMarker Infostealer\r\nWe can see the crypto wallet stealing capability in the Module.Main class (Exhibit 27).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 14 of 21\n\nExhibit 27: Crypto wallet stealing capability\r\nThe list of targeted crypto wallets includes:\r\nAtomic\r\nGuarda\r\nSimpleOS\r\nNeon\r\nWasabi\r\nMyMonero\r\nJaxx\r\nElectrum\r\nEthereum\r\nExodus\r\nGreenAddress\r\nCoinWallet\r\nCoinomi\r\nLedgerLive\r\nTrinity\r\nScatter\r\nThe SolarMarker infostealer also has the capability to steal VPN and RDP configurations as well as cookies and browser\r\ncredentials from Opera, Brave, Microsoft Edge, Mozilla Firefox, and Google Chrome since browsers store passwords and\r\ncookies in an encrypted form.\r\nUnfortunately, it does not take the infostealer a lot of effort to decrypt the passwords and cookies. Some of the main\r\nprerequisites needed to decrypt browser credentials and cookies are shown in Exhibit 28.\r\nLocal State – file that contains the browser’s configuration including encrypted DPAPI (Data Protection API)\r\nencryption key.\r\nLogin Data – sqlite3 database that stores user’s encrypted passwords, URLs, and username.\r\nos_crypt and encrypted_key – the DPAPI encryption key extracted from Local State file and base64-decoded.\r\nThe infostealer then calls the CryptUnprotectData function to decrypt the data.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 15 of 21\n\nExhibit 28: Decryption function for browser credentials and cookies\r\nThe infostealer fingerprints OS information and sends it to the C2 using the similar pattern as we mentioned before in the\r\nbackdoor. Communication with C2 channels is also similar with the backdoor using a hard-coded RSA key and\r\nsymmetric AES CBC algorithm.\r\nHow eSentire is Responding\r\nOur Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create\r\npractical outcomes for our customers. We are taking a full-scale response approach to combat modern cybersecurity\r\nthreats by deploying countermeasures, such as:\r\nImplementing threat detections and BlueSteel, our machine- learning powered PowerShell classifier, to identify\r\nmalicious command execution and exploitation attempts and ensure that eSentire has visibility and detections are\r\nin place across eSentire MDR for Endpoint and Network.\r\nPerforming global threat hunts for indicators associated with SolarMarker.\r\nOur detection content is supported by investigation runbooks, ensuring our SOC analysts respond rapidly to any intrusion\r\nattempts related to a known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the\r\nthreat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.\r\nRecommendations from eSentire’s Threat Response Unit (TRU)\r\nWe recommend implementing the following controls to help secure your organization against the SolarMarker malware:\r\nImplement a Phishing and Security Awareness Training (PSAT) program that educates the employees about the\r\nthreat landscape.\r\nTrain users to recognize ‘normal’ file extensions from ‘abnormal’ extensions.\r\nEncourage your employees to use password managers instead of using the password storage feature\r\nprovided by web browsers.\r\nReview eSentire’s blogs and Security Advisories to stay up to date on the latest threats and trends impacting\r\nthe threat landscape.\r\nConfirm that all devices are protected by ensuring that anti-virus signatures are up-to-date and using a Next-Gen\r\nAV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain threats.\r\nEnsure the role-based access control (RBAC) that restricts system access to authorized users is in place.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 16 of 21\n\nWhile the TTPs used by adversaries grow in sophistication, so does your organizations defenses. Preventing the various\r\nattack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and\r\ndeploying endpoint detection, and the ability to investigate logs \u0026 network data during active intrusions.\r\neSentire’s TRU team is a world-class team of threat researchers who develop new detections enriched by original threat\r\nintelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to\r\nadvanced threats.\r\nIf you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your\r\nbusiness ahead of disruption.\r\nLearn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an\r\neSentire Security Specialist.\r\nAppendix\r\nhttps://unit42.paloaltonetworks.com/solarmarker-malware/\r\nhttps://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/\r\nhttps://blog.morphisec.com/jupyter-infostealer-backdoor-introduction\r\nIndicators of Compromise\r\nName Indicators\r\nC2 37.120.237[.]251\r\nC2 37.120.233[.]92\r\nC2 45.42.201[.]248\r\nC2 92.204.160[.]233\r\nC2 146.70.40[.]236\r\nC2 146.70.53[.]153\r\nC2 146.70.101[.]97\r\nC2 146.70.88[.]119\r\nC2 188.241.83[.]61\r\nC2 86.106.20[.]155\r\nTypes-Of-Writs-Texas.exe 85fb7076044071a28afb43bec12e4f8ce93525132b2ae512934529f9f09895a5\r\nAccounting-For-Contract-Cancellation-Fees-Aspe.exe\r\n11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a\r\nMto-Medical-Review-Form.exe 7cc35fbce4b353c541f1ee62366248cc072d1c7ce38b1d5ef5db4a2414f26e08\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 17 of 21\n\nNy-Motion-To-Quash-Third-Party-Subpoena.msi\r\n1ed9469724b3ba2891dc0efee29b1de93054601cb44aaf433c2b5860884dfa71\r\nBullet-Statements-For-Ncoer.msi 57171e869512862baa9e4fd15b18c1d577a31f2ca20b47435f138f989bca2d72\r\nMetlife-Disability-Waiver-Of-Premium-Benefit-Rider.msi\r\nbc7986f0c9f431b839a13a9a0dfa2711f86e9e9afbed9b9b456066602881ba71\r\nFree-Business-Partner-Contract-Template.msi\r\n0adfbce8a09d9f977e5fe90ccefc9612d1d742d980fe8dc889e10a5778592e4d\r\nLondon-Two-Party-Consent.exe af0220126a369878bda6f4972d8d7534964dea73142c18e439a439373f67ec21\r\nTower-Crane-Dismantling-Method-Statement.xe\r\nd7067ecb291c79ccd3a4d745413b85451ca26b92015a45f9ed6e5304ac715299\r\ndeimos.dll (SolarMarker backdoor) 586607b7d094e4acb3373d6812e62b870c64d17f18b7c5fd929d4418a61b4f30\r\ndeimos.dll (SolarMarker backdoor) 0f0ceeec9f5bca4b257997ed6adf599e8cf5c1c890fb1fa949e6905563152216\r\n9af342fe404749aa973fcec40fd4ed44.dll\r\n(SolarMarker backdoor)\r\neeecc2bd75ec77db22de5c47efe1fbef63c6b310d34bac6e3b049eef7f86c90b\r\ne83a74b0-0d5f-45cf-b53f-6f94e2346951.dll (SolarMarker\r\nbackdoor observed in August 2021)\r\n0351dc341644bab0fff06d882510255941c9f3eb44dcdd444a54f68fbcd2d62c\r\n7aa897bd-8618-4569-be79-\r\nd5ec94156c87.dll (SolarMarker\r\nInfostealer)\r\nfb6c91bcf21a2cb7252672c77f85585fdc3ff6f74486a4370d566a75c146a45a\r\nYara Rules\r\nThe Yara rule for the malicious DLL and the executable:\r\nimport \"pe\"\r\nrule SolarMarker_backdoor {\r\n meta:\r\n author = \"eSentire TI\"\r\n date = \"04/13/2022\"\r\n version = \"1.0\"\r\n strings:\r\n $string1 = \"ezkabsr\" wide fullword nocase\r\n $string3 = \"deimos.dll\" wide fullword nocase\r\n $string4 = \"solarmarker.dat\" wide fullword nocase\r\n $string5 = \"dzkabr\" wide fullword nocase\r\n $string6 = \"Invoke\"\r\n $string7 = \"set_UseShellExecute\"\r\n condition:\r\n 2 of ($string*) and\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 18 of 21\n\n(uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)\r\n}\r\nimport \"pe\"\r\nrule SolarMarker_stealer {\r\n meta:\r\n author = \"eSentire TI\"\r\n date = \"04/13/2022\"\r\n version = \"1.0\"\r\n strings:\r\n $string1 = \"exodus.wallet\" wide fullword nocase\r\n $string2 = \"*wallet*.dat\" wide fullword nocase\r\n $string3 = \"*.rdp\" wide fullword nocase\r\n $string4 = \"default.rdp\" wide fullword nocase\r\n $string5 = \"\\\\atomic\\\\Local Storage\\\\leveldb\"\r\n $string6 = \"\\\\Login Data\"\r\n $string7 = \"uniq_hash\" wide fullword nocase\r\n condition:\r\n 5 of ($string*) and\r\n (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)\r\n}\r\nimport \"pe\"\r\nrule SolarMarker_payload {\r\n meta:\r\n author = \"eSentire TI\"\r\n date = \"04/13/2022\"\r\n version = \"1.0\"\r\n strings:\r\n $string1 = \"IOSdyabisytda\" wide fullword nocase\r\n $string2 = \"PowerShell\"\r\n $string3 = \"Invoke\"\r\n $string4 = \"ProcessStartInfo\"\r\n condition:\r\n 3 of ($string*) and\r\n (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)\r\n}\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next Level\r\nMDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 19 of 21\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security\r\nOperations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an\r\nextension of your security team to continuously improve our Managed Detection and Response service. By providing\r\ncomplete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat\r\nhunts augmented by original threat research, we are laser-focused on defending your organization against known and\r\nunknown threats.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 20 of 21\n\nSource: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker\r\nPage 21 of 21\n\nThe example of the Exhibit 2: Google payload distribution Groups used to via Google Groups deliver the payload Pages is shown in Exhibit 2. \nWe observed that the attacker(s) did a bulk upload of the payloads (501 files) on August 8, 2021 (Exhibit 3).\n Page 2 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker" ], "report_names": [ "esentire-threat-intelligence-malware-analysis-solarmarker" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434005, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/16b788bdf4f40514bdc354d7c216b0e7fdcdeee4.pdf", "text": "https://archive.orkl.eu/16b788bdf4f40514bdc354d7c216b0e7fdcdeee4.txt", "img": "https://archive.orkl.eu/16b788bdf4f40514bdc354d7c216b0e7fdcdeee4.jpg" } }