{
	"id": "cbf03c2e-52b0-464d-9bd7-eb2485ce8edf",
	"created_at": "2026-04-06T00:06:51.483556Z",
	"updated_at": "2026-04-10T03:23:51.222003Z",
	"deleted_at": null,
	"sha1_hash": "88fa687fe45de67884f0cf9112ac5859307264f3",
	"title": "Mars-Deimos: From Jupiter to Mars and Back again (Part Two)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 762262,
	"plain_text": "Mars-Deimos: From Jupiter to Mars and Back again (Part Two)\r\nPublished: 2021-06-20 · Archived: 2026-04-05 15:24:11 UTC\r\nImage: A drawing of the planet Jupiter\r\nDropper SHA256: a871b7708b7dc1eb6fd959946a882a5af7dafc5ac135ac840cfbb60816024933\r\nBackdoor SHA256: cc17391dde8a9f3631705c01a64da0989b328760e583009e869a7fff315963d7\r\nIn May, I published an analysis of the persistence mechanism for Mars-Deimos and had intended to publish\r\nfurther analysis regarding that individual sample, however there has been many changes to the distributed\r\nmalware since that time.\r\nAs a reminder and abbreviated summary, a particular malware author or group of authors had started using a\r\nmalware which appeared to be tracked internally by the authors as Mars-Deimos and I documented the persistence\r\nmechanism of that malware. The malware family is also tracked by researchers under other names as well:\r\nJupyter, Solarmarker, Yellow Cockatoo, and Polazert.\r\nJupyter had been documented by a few organizations as being able to steal browser cookies and passwords from\r\nbrowsers. However, the authors also distributed a malware named Mars-Deimos, which differed substantially from\r\nJupyter.\r\nMars-Deimos has functionality for collecting information about the victim computer, encrypting the information\r\nand submitting it back to the Command and Control server (C2). It also has functionality to download and execute\r\ncode.\r\nhttps://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/\r\nPage 1 of 9\n\nImage: The function table from dnSpy when analysing Mars-Deimos.\r\nThis article will focus on the distribution system for this malware author and some recent changes and techniques\r\nthat have been seen by the malware family.\r\nDistribution\r\nThe malware is downloaded the following way:\r\nA victim googles for a template of a document, a search result is a Google Site (sites.google.com), and the Google\r\nSite offers them a PDF or DOC version of the template.\r\nNOTE: You’ll see randomly named documents like in the picture below: “Invoice PDF to Excel” or “Indeed\r\nResume File Format”. All of these are completely randomized and the names don’t matter for the sake of the\r\nmalware. In fact, you can change the URL and give it a custom name if you want—again it doesn’t matter—the\r\nsame malware gets dropped.\r\nhttps://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/\r\nPage 2 of 9\n\nImage: Google Site which hosts links to the malware.\r\nThe user will select to download a PDF or DOC. By clicking one of the links, the victim will be sent off of the\r\nGoogle Site in order to download the malware. The distribution system has features in place to also prevent users\r\nfrom making too many downloads.\r\nFor several months, the download page was a spoofed Microsoft website.\r\nNOTE: For security training, users should at least be aware of the idea of Red-Flags. I believe this is a common\r\nidea in our world and it is important to apply it to cybersecurity as well in our training sessions. If they find\r\nsomething that seems off—like a Google Site leading to a Microsoft website—they should be encouraged to be\r\nskeptical.\r\nhttps://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/\r\nPage 3 of 9\n\nImage: Spoofed Microsoft Website. Take note of the URL “enpfereschemry.tk”.\r\nThe current download site is a spoofed Google Drive. Between the download button and the Google Drive site,\r\nthe user is passed through some oddly named sites. In this instance, those sites should be red-flags for the user as\r\nthey are unusual for Google sites and Google Drive.\r\nThe user is then presented with a download button to download the “template” or “document” they are requesting.\r\nMany modern browsers will give a warning about the download as the browser recognizes it as an executable.\r\nImage: Spoofed Google Drive website. Take note of the URL “badibebiro.tk”.\r\nTheir distribution system is very dynamic and very extensive. There are at least 60,000 Google Sites that lead to\r\nthe malware and I have documented ~1,000 unique domains controlled by the authors. The URLs on the Google\r\nSite are updated through JavaScript to assign the appropriate URL to the buttons on the page.\r\nhttps://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/\r\nPage 4 of 9\n\nThe Binary\r\nWhen the malware is downloaded, its icon is set to be that of a PDF file. The file is ~107 MB in size in order to\r\nprevent being uploaded to most automated malware analysis sites. (Most malware analysis sites which are free or\r\npaid have a size restriction of 100MB.)\r\nThe malware is often created and formed using the program InnoSetup. Unpacking the InnoSetup installer reveals\r\njunk data files which the authors themselves had named “waste”. These “waste” files are simply to make the\r\nexecutable a large size. In addition to the waste is a decoy PDF program.\r\nThe malware authors have recently been seen deviating from InnoSetup. One recent binary was built with Delphi\r\n7 and includes PowerShell executed from the compiled binary. The PowerShell reads and executes a temporary\r\nfile. It is consistent with the scripts they use in other parts of their malware deployment:\r\nImage: Powershell executed when the malware is ran\r\nStep one: set $xp to a file dropped into AppData\\Local\\Temp\\\r\nStep two: set $xk to a key\r\nStep three: read the file $xp into the variable $xb, converting it from Base64\r\nStep four: delete temporary file\r\nStep five: decode the file $xb using the key and using -bxor through a set of two for-loops\r\nStep six: set the encoding to UTF8 for the variable $xb\r\nStep seven: execute the code from the decoded variable in memory.\r\nAt this point in time, it appears very few virus detection systems detect this behavior from the executable.\r\nHowever, this type of behavior should be caught by an Endpoint Detection and Response (EDR) system that is\r\nbeing monitored by SOC analysts or System Administrators. Organizations should be using PowerShell script\r\nlogging for catching PowerShell execution: PowerShell script logging can be made to save information regarding\r\nwhat PowerShell is executed on a system allowing for an analysis of what had been executed.\r\nThe executed code from this malware sets in motion the loading of an info-stealing malware and sets a persistence\r\nmechanism. The most recent executables sleep for 30 minutes prior to starting the info-stealing malware.\r\nPersistence\r\nPreviously, the malware’s persistence was managed by changing shortcuts to call the malware when the shortcuts\r\nwere executed. That is, the shortcut would perform its original function and execute a malicious .bat/.cmd script to\r\nload the malware into memory. In lieu of changing shortcuts, recent revisions have dropped a .lnk file in the user’s\r\nStart Menu\\Programs\\Startup directory. With the .lnk file being placed in this directory, it will be executed on\r\nhttps://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/\r\nPage 5 of 9\n\nstartup and start the backdoor. EDR systems and System Administrators should monitor this directory as it is\r\nfrequently used by malware.\r\nThe file path used by the malware will use inconsistent capitalization for words like “Windows” in order to avoid\r\nsome detection techniques and will look something like this:\r\n\"C:\\Users\\*****\\AppData\\Roaming\\miCrOsofT\\wINDoWS\\stARt meNU\\PRogrAMS\\startUp\\a19392f921e4f9a03b0a251\r\nNewer revisions have stopped using a .bat/.cmd file and have used a random extension name. The file the .lnk\r\npoints to is normally in a user’s AppData\\Roaming or AppData\\Roaming\\Microsoft directory. The folder will be a\r\nrandomly named directory: older versions use 4 characters, newer versions use around 14 characters.\r\nAn image of a randomly named directory with randomly named files, with randomly named\r\nextensions.\r\nThe .lnk file in this instance points to the highlighted file in the image above. It uses a name starting with\r\n“AJftzy”. When the .bat/.cmd script was used, it had been saved in this directory; however, the files that are now\r\ncreated appear to be decoy files and the real persistence is used by the file extension.\r\nPowerShell is used by the malware to register the randomized file extension, in this case it is”.xmJqGtrIkQlFig”,\r\nand in turn the file extension points to another class in the registry ( “xmJqGtrlkQlFig_auto_file”).\r\nAn image of the registry key created by the malware.\r\nThis registry class is set to execute PowerShell when the file extension is used. The PowerShell decodes and loads\r\nthe Mars.Deimos malware into memory and launches it.\r\nhttps://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/\r\nPage 6 of 9\n\nImage: The registry key details for the class and command registered by the malware.\r\nFunctionality\r\nIn a previous version of this post, I hadn’t seen the binary loaded through the registry key. Instead, I had only seen\r\nthe binary loaded by the executable after the 30 minute sleep. So in contrast to my previous understanding, the\r\nmalware actually loads an info-stealing malware and then uses Mars-Deimos for a persistent backdoor.\r\nIn recent versions, the malware has used two different binaries: “F.G.” or Jupyter for the info-stealer. The process\r\nfor starting the binary is nearly identical to starting Mars-Deimos: the binary is read from an obfuscated file in a\r\ntemporary directory, System.Reflection.Assembly is used to load the binary into memory, and a function native to\r\nthe binary (like “Run” or “Interact”) is used to execute it.\r\nIn contrast to Mars-Deimos and Jupyter, the F.G. malware appears to check to see what browsers are installed\r\nbased on their default directories. If they exist, it will use System.Threading to start new threads. Based on my\r\nbeginning analysis, it also appears to copy the content of forms in order to pass those back to the C2.\r\nhttps://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/\r\nPage 7 of 9\n\nImage: Current binary’s functions as seen from dnSpy\r\nThe authors appear to be maintaining Jupyter, Mars.Deimos, F.G. and using them tactically in different\r\ndistributions of the malware. They each have their own purpose and it appears that each are being updated and\r\nused as seen appropriately.\r\nDetection\r\nThe malware is most reliably caught by EDR systems. During my research for the last few months, many antivirus\r\nsystems have failed to recognize and adapt to detecting new versions of the malware; however, other researchers\r\nhave quickly identified infected systems through their monitoring systems. The main attributes seen quickly by\r\nEDR systems come from the PowerShell executed by the malware.\r\nThe current versions of the malware use specific high fidelity indicators of malicious activity. First, the\r\nPowerShell execution uses obfuscated variable names. These obfuscated variable names are a red-flag of\r\nmalicious activity. If you are unfamiliar with the obfuscation of variables, please review my previous blogpost\r\nregarding this malware. Second, the malware consistently uses IEX and System.Reflection.Assembly for\r\nexecuting the malware. These are both are means of executing and loading code on a system and are rare for\r\nlegitimate processes to use. Watching for the use of these two functions has been a high quality means for\r\ndetecting the malware. The PowerShell execution is called both in the initial infection and through the persistence\r\nmechanism, so if an organization begins to monitor for the use of the PowerShell, they should detect both new and\r\npast infections.\r\nThe malware can also be detected using YARA rules. The most consistent YARA rule for detecting this malware\r\nhas been based on the DLL backdoor as it appears the name of the DLL follows a consistent pattern across\r\nhttps://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/\r\nPage 8 of 9\n\nversions of the malware. The YARA Rule created by Luke Acha is able to identify the processes which have\r\nloaded the DLL. For those unfamiliar with using YARA Rules, consider using the YARA Memory Scanner from\r\nBinary Defense’s GitHub repository. This scanner can be given a YARA rule or the URL to a YARA rule and it\r\ncan scan a system to detect if the malware is present in memory.\r\nFor example, the following PowerShell will run the YaraMemoryScanner script, download the YARA rule to\r\ncheck for this malware family, and scan the current running processes:\r\n.\\YaraMemoryScanner.ps1 https://raw.githubusercontent.com/securitymagic/yara/main/Jupyter%20Malware/J\r\nThe output of the YaraMemoryScanner will display the Process ID, Process Name and execution path of the\r\nprocesses and save the information in a text file. If any results are returned, the user should review the processes in\r\norder to confirm the malware infection. Infected hosts should have a file named “solarmarker.dat” in the user’s\r\nAppData\\Roaming directory: this file is used as a host identifier by the malware.\r\nSummary\r\nThe malware dropped by this distribution system appears use a few different varieties: Jupyter, Mars-Deimos,\r\nF.G.. Each of these appear to have very different functionality and appear to be used tactically by the author to\r\nachieve different goals. The author changes their tactics regularly to avoid detection. Due to the frequent changes,\r\nantivirus often fails to detect the malware but the malware can be detected through means of monitoring\r\nPowerShell execution on a host.\r\nSource: https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/\r\nhttps://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/"
	],
	"report_names": [
		"mars-deimos-from-jupiter-to-mars-and-back-again-part-two"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434011,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/88fa687fe45de67884f0cf9112ac5859307264f3.pdf",
		"text": "https://archive.orkl.eu/88fa687fe45de67884f0cf9112ac5859307264f3.txt",
		"img": "https://archive.orkl.eu/88fa687fe45de67884f0cf9112ac5859307264f3.jpg"
	}
}