{
	"id": "f2df86fa-b518-48ad-9ff4-9df086f0f226",
	"created_at": "2026-04-10T03:21:46.302824Z",
	"updated_at": "2026-04-10T03:22:18.940224Z",
	"deleted_at": null,
	"sha1_hash": "aa277edc20b3978944fd2cf3a7be8cd5df2747b9",
	"title": "Hackers Flood the Web with 100,000 Malicious Pages, Promising Professionals Free Business Forms, But Delivering Malware, Reports…",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1484208,
	"plain_text": "Hackers Flood the Web with 100,000 Malicious Pages, Promising\r\nProfessionals Free Business Forms, But Delivering Malware,\r\nReports…\r\nArchived: 2026-04-10 02:36:30 UTC\r\nBusiness professionals search google for free office forms (invoices, questionnaires, and receipts) but get\r\nserved a RAT\r\neSentire, a leading cybersecurity solutions provider, reported today that business professionals are currently being\r\nlured to hacker-controlled websites, hosted on Google Sites, and inadvertently installing a known, emerging\r\nRemote Access Trojan (RAT). eSentire has detected several incidents in the past week. The attack starts with the\r\npotential victim performing a search for business forms such as invoices, questionnaires, and receipts. Unlike the\r\nLinkedIn spearphishing campaign eSentire reported last week that utilized email and LinkedIn channels, this\r\ncampaign lays long-standing traps for victims using Google search redirection and the drive-by- download\r\nmethod. Once the RAT is on the victim’s computer and activated, the threat actors can send commands and upload\r\nadditional malware to the infected system, such as ransomware, a credential stealer, a banking trojan, or simply\r\nuse the RAT as a foothold into the victim’s network.\r\nUpon attempting to download the alleged document template, users are redirected, unknowingly, to a malicious\r\nwebsite where the RAT malware is hosted. eSentire’s Threat Response Unit (TRU) discovered over 100,000\r\nunique web pages that contain popular business terms/particular keywords: template, invoice, receipt,\r\nquestionnaire, and resume. In a precursory search, 70,000 unique web pages included the mention of either\r\ntemplate or invoice. These common business terms serve as keywords for the threat actors’ search optimization\r\nstrategy, convincing Google’s web crawler that the intended content meets conditions for a high PageRank score.\r\nOnce the target lands on a site controlled by the hacker, the page shows download buttons for the document\r\ntemplate they were searching. When clicked, the business professional is redirected (unknowingly) to a malicious\r\nwebsite which serves up an executable disguised as a pdf document or a word document. In the incident which\r\neSentire investigated, when the executable (disguised as a pdf) was launched by the user, they simultaneously\r\ninstalled the SolarMarker RAT (also referred to as Yellow Cockatoo, Jupyter, and Polazert) and a complimentary\r\ncopy of the Slim PDF reader application. Slim PDF is a legitimate application for reading pdfs. The pdf reader\r\napplication is installed by the threat actors, either in an effort to convince the victim of the legitimacy of the\r\ndocument they were seeking or as a distraction from the installation of the RAT. As with any RAT, once\r\nSolarMarker is active, the threat actors can send commands and upload additional files to the infected system. The\r\nTRU has not yet observed actions-on-objectives following a SolarMarker infection, but suspect any number of\r\npossibilities, including ransomware, credential theft, fraud, or as a foothold into the victim networks for espionage\r\nor exfiltration operations.\r\nKey Takeaways\r\nhttps://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire\r\nPage 1 of 11\n\nA Remote Access Trojan (RAT) with many names: Tracked as SolarMarker, Jupyter, Yellow Cockatoo and\r\nPolazert\r\nThe threat actors behind SolarMarker have added Slim PDF to their list of decoy applications\r\nSwitched from search redirection, via Shopify, to search redirection via Google Sites\r\nComment from Spence Hutchinson, Manager of Threat Intelligence for eSentire\r\n“Security leaders and their teams need to know that the threat group behind SolarMarker has gone to a lot of effort\r\nto compromise business professionals, spreading a wide net and using many tactics to successfully disguise their\r\ntraps,” said Spence Hutchinson, Manager of Threat Intelligence for eSentire. “For instance, the Solar Marker\r\ngroup has:\r\n:\r\nDeployed over 100,000 web pages via Google Sites. The benefits of being hosted on Google’s\r\ninfrastructure are several. First, Google is trusted by both security appliances and human eyes. Secondly, it\r\nprobably doesn't hurt your PageRank score with Google to use Google’s infrastructure. The pages are also\r\npadded with generated text keywords, a tactic likely used to further influence search results.\r\nThe threat actors have created tens of hundreds of web pages with popular business terms, such as invoice,\r\nstatement, receipt, questionnaire, so that when a business professional is searching the Internet for a\r\nspecific business template, then there is a chance that the top search results will include one of their\r\nmalicious pages.\r\nThe infection process relies on exploiting the user, not an application. The user simply executes a binary\r\ndisguised as a PDF to infect the machine. This is an increasingly common trend with malware delivery,\r\nwhich speaks to the improved security of applications such as browsers that handle vulnerable code.\r\nUnfortunately, it reveals a glaring blindspot in controls which allow users to execute untrusted binaries or\r\nscript files at will.\r\nThe SolarMarker campaign utilizes a variety of decoy applications. Most recently, TRU observed that the\r\nSlim PDF reader software was the decoy being downloaded onto the victim’s computer. This serves as a\r\ndistraction, as well as an additional element to help convince the victim that they are downloading a pdf.\r\n“Another troubling aspect of this campaign is that the SolarMarker group has populated many of their malicious\r\nweb pages with keywords relating to financial documents, e.g., statements, receipts, invoices, etc.,” continued\r\nHutchinson.. “A financial cybercrime group would consider an employee, working in the finance department of a\r\ncompany, or an employee, working for a financial organization, a high value target. In fact, the SolarMarker\r\nincident which eSentire disrupted involved an employee of a financial management company. Once a remote\r\naccess trojan (RAT) has been installed on a victim’s computer, the threat actors can upload additional malware to\r\nthe device, such as a banking trojan, which could be used to hijack the online banking credentials of the\r\norganization. Or a credential stealer could be installed, which could be used to steal the employee’s email\r\ncredentials, enabling the hackers to launch a business email compromise scheme. Unfortunately, once a RAT is\r\ncomfortably installed, the potential fraud activities are numerous.”\r\nHow the Attack Works\r\nhttps://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire\r\nPage 2 of 11\n\nThe emerging RAT is written with the .NET software framework, and tracked as Jupyter, Yellow Cockatoo,\r\nSolarMarker, and now being tracked as Polazert on twitter [1]. SolarMarker was first observed by eSentire in\r\nearly October 2020. The eSentire Threat Response Unit (TRU) tracks this threat as SolarMarker due to the\r\nobserved tracking file dropped for host identification. Throughout October and November 2020, SolarMarker\r\nutilized docx2rtf.exe as a decoy to distract users as the .NET silently installed itself in the background. Red\r\nCanary reports SolarMarker changing this decoy application throughout the following months [4] using in\r\nSeptember 2020 photodesigner7_x86-64.exe and Expert_PDF.exe in November 2020, while the TRU continued to\r\nsee docx2rtf.exe. The TRU has now discovered that the SolarMarker group is using Slim PDF Reader. See Figure\r\n1 and Figure 2.\r\nFigure 1. The attack chain starts with a google search and ends in the installation of SolarMarker and lesser-known\r\nPDF viewer.\r\nhttps://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire\r\nPage 3 of 11\n\nFigure 2: Process tree outlining the installation of SolarMarker. Note the Adobe icon on the installer file. The RAT,\r\nlabeled (unknown), then goes on to install the decoy document and make malicious PowerShell calls.\r\nSolarMarker captures victims via Google Search redirect. Often, clients are looking for a free version or template\r\nof a document. In the latest incident observed by TRU, the victim, who works in the financial industry, was\r\nredirected to a Google Sites page controlled by the threat actor with an embedded download button. The download\r\nbutton, hosted at passiondiamond[.]site, is easy to customize. The TRU team was able to generate a document\r\nnamed “this is a test” for download (Figure 3). Note the search redirect content (see Figure 4) populated on the\r\nmalicious web page just below the download buttons in Figure 3.\r\nFigure 3: The Download button that is embedded in the Google Site\r\nhttps://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire\r\nPage 4 of 11\n\nFigure 4: The search redirect content populated on the malicious web page just below the download buttons in\r\nfigure 3.\r\nFigure 5: Examining the source of the embedded button page reveals a link to a .tk domain and icon sources\r\nThe decoy program, Slim PDF, serves as an important visual cue for potential victims of SolarMarker but also\r\nhelps to lower suspicion of malicious intent. The attached screenshot (Figure 6) is from the Slim PDF website\r\nhttps://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire\r\nPage 5 of 11\n\nFigure 6: Screenshot from the Slim PDF reader website\r\nEvolution of Distribution Method\r\neSentire's TRU first saw SolarMarker utilizing Shopify for its search redirection method in October 2020. In that\r\ncase, the redirection infrastructure was embedded in a hosted PDF that provided links to the threat actor’s\r\nmaliciously controlled infrastructure where the RAT (and its decoy payloads) is hosted. In 2021, the redirection\r\nmethod shifted to Google Sites.\r\nThe redirection method for Shopify was highlighted by Security Magic [5] who also mentioned the usage of\r\nGoogle Sites. To capture search results, the threat actors loaded the redirection content with keywords. In the case\r\nof Shopify, the keywords were hidden as white text at the bottom of the PDF (Figure 7). In recent attacks,\r\nhowever, Google Sites is being leveraged with an embedded download button (Figure 3) that leads to attacker-controlled infrastructure. As with the Shopify PDF, a block of text with keywords is included. In the case of\r\nGoogle Sites, the keyword content is placed directly in the site, below the landing button and some white space\r\n(Figure 4).\r\nhttps://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire\r\nPage 6 of 11\n\nFigure 7: Highlighting the second page of the Shopify-hosted PDF reveals the hidden text used to rank high in\r\nGoogle results\r\nRedirection\r\nThe redirection infrastructure passes through a series of .tk TLDs before landing on the final .ml TLD domain. See\r\nFigure 8. Upon visiting the infrastructure with a VM, no such redirects are experienced. Upon inspecting the\r\nsource code of the embedded download button at passiondiamond.site, researchers found an entirely different .tk\r\ndomain, indicating a possibility that these redirect pathways are dynamic and can be changed for either\r\noperational security or delivery efficacy. It’s possible that any number of checks are being performed on the\r\nvisiting browser and operating system to ensure they are being operated by victims, not security researchers.\r\nFigure 8: SolarMarker’s redirect path from the search result to the final payload site\r\nFour Names, One Malware\r\n[1] Mar 09, 2021 - https://twitter.com/JAMESWT_MHT\r\nBeing tracked as #Polazert\r\nhttps://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire\r\nPage 7 of 11\n\n[2] Feb 08, 2021 - https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/\r\nGoogle Sites mentioned\r\nInfection Chain Shown\r\nDetailed Reversing / Snippets\r\n[3] Dec 12, 2020 - http://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nShows Shopify Method\r\nGoogle Sites mentioned\r\n[4] Dec 04, 2020 - https://redcanary.com/blog/yellow-cockatoo/\r\nOverview of Decoys used\r\n[5] Nov 12, 2020 - https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction\r\nFirst Public Report on SolarMarker\r\nSolarMarker Incident Dissection:\r\n1. Victim uses Google to search for an ethics questionnaire\r\n2. Business professional visits sites.google.com (Google’s generic site hosting offering)\r\n1. Web Page is controlled by threat actor\r\n2. Includes content from passiondiamond.site\r\n1. Can put any arbitrary text in passiondiamond component\r\n3. When the victim downloads, several v6 IPs are contacted to fetch the payload disguised as a PDF.\r\n1. Mostly .tk T\r\n2. A single .ml TLD\r\n3. Client detonates questionnaire from Downloads folder\r\n1. Opens a lesser- known free PDF reader\r\n2. Installs the core .NET functionality of the RAT as .tmp executable\r\n3. RAT calls powershell\r\n4. PowerShell Beacons to potential C2\r\n1. Last updated: 2021-03-23 RIPE Network Coordination Centre\r\nAn example of the number of web pages, where the body copy of the page, contains\r\nthe following search terms: excel, invoice, template.\r\nhttps://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire\r\nPage 8 of 11\n\nWeb pages in which the alleged document title included the search terms:\r\ntemplate, invoice, statement, excel, and hansard (a Canadian legal document).\r\nhttps://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire\r\nPage 9 of 11\n\nFor more information about this threat and how to protect against it go to https://www.esentire.com/get-started\r\nhttps://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire\r\nPage 10 of 11\n\nSource: https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-busi\r\nness-forms-but-are-delivering-malware-reports-esentire\r\nhttps://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire"
	],
	"report_names": [
		"hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire"
	],
	"threat_actors": [],
	"ts_created_at": 1775791306,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aa277edc20b3978944fd2cf3a7be8cd5df2747b9.pdf",
		"text": "https://archive.orkl.eu/aa277edc20b3978944fd2cf3a7be8cd5df2747b9.txt",
		"img": "https://archive.orkl.eu/aa277edc20b3978944fd2cf3a7be8cd5df2747b9.jpg"
	}
}